[PATCH v36 18/33] LSM: Use lsmcontext in security_dentry_init_security

Dan Carpenter dan.carpenter at oracle.com
Thu Jun 23 07:09:48 UTC 2022 

Hi Casey,

url:    https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220610-080129
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: parisc-randconfig-m031-20220622 (https://download.01.org/0day-ci/archive/20220623/202206230827.rGKbTxmu-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 11.3.0

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp at intel.com>
Reported-by: Dan Carpenter <dan.carpenter at oracle.com>

New smatch warnings:
fs/fuse/dir.c:484 get_security_context() error: uninitialized symbol 'name'.

Old smatch warnings:
fs/fuse/dir.c:503 get_security_context() warn: is 'ptr' large enough for 'struct fuse_secctx'? 0

vim +/name +484 fs/fuse/dir.c

3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  462  static int get_security_context(struct dentry *entry, umode_t mode,
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  463  				void **security_ctx, u32 *security_ctxlen)
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  464  {
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  465  	struct fuse_secctx *fctx;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  466  	struct fuse_secctx_header *header;
86d33e271bed73 Casey Schaufler 2022-06-09  467  	struct lsmcontext lsmctx;
                                                        ^^^^^^^^^^^^^^^^^^^^^^^^

86d33e271bed73 Casey Schaufler 2022-06-09  468  	void *ptr;
86d33e271bed73 Casey Schaufler 2022-06-09  469  	u32 total_len = sizeof(*header);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  470  	int err, nr_ctx = 0;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  471  	const char *name;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  472  	size_t namelen;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  473  
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  474  	err = security_dentry_init_security(entry, mode, &entry->d_name,
86d33e271bed73 Casey Schaufler 2022-06-09  475  					    &name, &lsmctx);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  476  	if (err) {
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  477  		if (err != -EOPNOTSUPP)

Imagine "err == -EOPNOTSUPP".

3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  478  			goto out_err;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  479  		/* No LSM is supporting this security hook. Ignore error */
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  480  	}
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  481  
86d33e271bed73 Casey Schaufler 2022-06-09  482  	if (lsmctx.len) {

Then actually "lsmctx.len" is uninitialized.  Everything breaks after
that.

3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  483  		nr_ctx = 1;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11 @484  		namelen = strlen(name) + 1;
                                                                                 ^^^^
Warning.

3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  485  		err = -EIO;
86d33e271bed73 Casey Schaufler 2022-06-09  486  		if (WARN_ON(namelen > XATTR_NAME_MAX + 1 ||
86d33e271bed73 Casey Schaufler 2022-06-09  487  		    lsmctx.len > S32_MAX))
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  488  			goto out_err;
86d33e271bed73 Casey Schaufler 2022-06-09  489  		total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen +
86d33e271bed73 Casey Schaufler 2022-06-09  490  					    lsmctx.len);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  491  	}
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  492  
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  493  	err = -ENOMEM;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  494  	header = ptr = kzalloc(total_len, GFP_KERNEL);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  495  	if (!ptr)
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  496  		goto out_err;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  497  
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  498  	header->nr_secctx = nr_ctx;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  499  	header->size = total_len;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  500  	ptr += sizeof(*header);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  501  	if (nr_ctx) {
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  502  		fctx = ptr;
86d33e271bed73 Casey Schaufler 2022-06-09  503  		fctx->size = lsmctx.len;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  504  		ptr += sizeof(*fctx);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  505  
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  506  		strcpy(ptr, name);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  507  		ptr += namelen;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  508  
86d33e271bed73 Casey Schaufler 2022-06-09  509  		memcpy(ptr, lsmctx.context, lsmctx.len);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  510  	}
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  511  	*security_ctxlen = total_len;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  512  	*security_ctx = header;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  513  	err = 0;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  514  out_err:
86d33e271bed73 Casey Schaufler 2022-06-09  515  	if (nr_ctx)
86d33e271bed73 Casey Schaufler 2022-06-09  516  		security_release_secctx(&lsmctx);
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  517  	return err;
3e2b6fdbdc9ab5 Vivek Goyal     2021-11-11  518  }

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

More information about the Linux-security-module-archive mailing list