Re: [PATCH v36 18/33] LSM: Use lsmcontext in security_dentry_init_security

From: Dan Carpenter
Date: Thu Jun 23 2022 - 03:10:45 EST

Next message: Jiang Jian: "[PATCH] crypto: caam - drop unexpected word 'a' in comments"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 2/7] dt-bindings: arm: aspeed: document board compatibles"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Casey,

url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220610-080129
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: parisc-randconfig-m031-20220622 (https://download.01.org/0day-ci/archive/20220623/202206230827.rGKbTxmu-lkp@xxxxxxxxx/config)
compiler: hppa-linux-gcc (GCC) 11.3.0

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

New smatch warnings:
fs/fuse/dir.c:484 get_security_context() error: uninitialized symbol 'name'.

Old smatch warnings:
fs/fuse/dir.c:503 get_security_context() warn: is 'ptr' large enough for 'struct fuse_secctx'? 0

vim +/name +484 fs/fuse/dir.c

3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 462 static int get_security_context(struct dentry *entry, umode_t mode,
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 463 void **security_ctx, u32 *security_ctxlen)
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 464 {
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 465 struct fuse_secctx *fctx;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 466 struct fuse_secctx_header *header;
86d33e271bed73 Casey Schaufler 2022-06-09 467 struct lsmcontext lsmctx;
^^^^^^^^^^^^^^^^^^^^^^^^

86d33e271bed73 Casey Schaufler 2022-06-09 468 void *ptr;
86d33e271bed73 Casey Schaufler 2022-06-09 469 u32 total_len = sizeof(*header);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 470 int err, nr_ctx = 0;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 471 const char *name;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 472 size_t namelen;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 473
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 474 err = security_dentry_init_security(entry, mode, &entry->d_name,
86d33e271bed73 Casey Schaufler 2022-06-09 475 &name, &lsmctx);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 476 if (err) {
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 477 if (err != -EOPNOTSUPP)

Imagine "err == -EOPNOTSUPP".

3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 478 goto out_err;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 479 /* No LSM is supporting this security hook. Ignore error */
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 480 }
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 481
86d33e271bed73 Casey Schaufler 2022-06-09 482 if (lsmctx.len) {

Then actually "lsmctx.len" is uninitialized. Everything breaks after
that.

3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 483 nr_ctx = 1;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 @484 namelen = strlen(name) + 1;
^^^^
Warning.

3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 485 err = -EIO;
86d33e271bed73 Casey Schaufler 2022-06-09 486 if (WARN_ON(namelen > XATTR_NAME_MAX + 1 ||
86d33e271bed73 Casey Schaufler 2022-06-09 487 lsmctx.len > S32_MAX))
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 488 goto out_err;
86d33e271bed73 Casey Schaufler 2022-06-09 489 total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen +
86d33e271bed73 Casey Schaufler 2022-06-09 490 lsmctx.len);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 491 }
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 492
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 493 err = -ENOMEM;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 494 header = ptr = kzalloc(total_len, GFP_KERNEL);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 495 if (!ptr)
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 496 goto out_err;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 497
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 498 header->nr_secctx = nr_ctx;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 499 header->size = total_len;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 500 ptr += sizeof(*header);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 501 if (nr_ctx) {
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 502 fctx = ptr;
86d33e271bed73 Casey Schaufler 2022-06-09 503 fctx->size = lsmctx.len;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 504 ptr += sizeof(*fctx);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 505
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 506 strcpy(ptr, name);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 507 ptr += namelen;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 508
86d33e271bed73 Casey Schaufler 2022-06-09 509 memcpy(ptr, lsmctx.context, lsmctx.len);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 510 }
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 511 *security_ctxlen = total_len;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 512 *security_ctx = header;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 513 err = 0;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 514 out_err:
86d33e271bed73 Casey Schaufler 2022-06-09 515 if (nr_ctx)
86d33e271bed73 Casey Schaufler 2022-06-09 516 security_release_secctx(&lsmctx);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 517 return err;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 518 }

--
0-DAY CI Kernel Test Service
https://01.org/lkp

Next message: Jiang Jian: "[PATCH] crypto: caam - drop unexpected word 'a' in comments"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 2/7] dt-bindings: arm: aspeed: document board compatibles"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]