Size mismatch between vfs_getxattr_alloc() and vfs_getxattr()

Roberto Sassu roberto.sassu at
Fri Jun 11 09:44:03 UTC 2021


the ima-evm-utils tool discovered an issue doing signature
verification of xattrs.

On kernel side, EVM reads the xattr value with
vfs_getxattr_alloc(), which gets the value directly from the
xattr handler.

On user side, ima-evm-utils reads the value with the
lgetxattr() system call, which gets the value from LSMs.

There is a corner case, where security.selinux is set directly
with setfattr without adding \0 at the end.

In this case, the kernel and the user see different values
due to the fact that the former gets the raw value from the
xattr handler, and the latter gets the value normalized by
SELinux (which adds \0).

I found that originally also lgetxattr() was getting the value
from the xattr handler. This changed with:

commit 4bea58053f206be9a89ca35850f9ad295dac2042
Author: David P. Quigley <dpquigl at>
Date:   Mon Feb 4 22:29:40 2008 -0800

    VFS: Reorder vfs_getxattr to avoid unnecessary calls to the LSM

which directly calls LSMs for security.* xattrs.

Given that this patch is there for a long time, I would ask
if it makes sense to fix this issue. The way I would do it
is to check if the size returned by the xattr handler is the
same of the size returned by LSMs. If not, I would get
the value from the xattr handler.

Although this change does not check the xattr content,
it is sufficient to fix the issue.

Any opinion?



Managing Director: Li Peng, Li Jian, Shi Yanli

More information about the Linux-security-module-archive mailing list