[PATCH] lsm: handle the NULL buffer case in lsm_fill_user_ctx()

Fri Mar 15 15:18:38 UTC 2024

On Fri, Mar 15, 2024 at 11:02 AM Serge E. Hallyn <serge at hallyn.com> wrote:
> On Wed, Mar 13, 2024 at 10:22:03PM -0400, Paul Moore wrote:
> > Passing a NULL buffer into the lsm_get_self_attr() syscall is a valid
> > way to quickly determine the minimum size of the buffer needed to for
> > the syscall to return all of the LSM attributes to the caller.
> > Unfortunately we/I broke that behavior in commit d7cf3412a9f6
> > ("lsm: consolidate buffer size handling into lsm_fill_user_ctx()")
> > such that it returned an error to the caller; this patch restores the
> > original desired behavior of using the NULL buffer as a quick way to
> > correctly size the attribute buffer.
> >
> > Cc: stable at vger.kernel.org
> > Fixes: d7cf3412a9f6 ("lsm: consolidate buffer size handling into lsm_fill_user_ctx()")
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> >  security/security.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/security.c b/security/security.c
> > index 5b2e0a15377d..7e118858b545 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -780,7 +780,9 @@ static int lsm_superblock_alloc(struct super_block *sb)
> >   * @id: LSM id
> >   * @flags: LSM defined flags
> >   *
> > - * Fill all of the fields in a userspace lsm_ctx structure.
> > + * Fill all of the fields in a userspace lsm_ctx structure.  If @uctx is NULL
> > + * simply calculate the required size to output via @utc_len and return
> > + * success.
> >   *
> >   * Returns 0 on success, -E2BIG if userspace buffer is not large enough,
> >   * -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.
> > @@ -799,6 +801,10 @@ int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
> >               goto out;
> >       }
> >
> > +     /* no buffer - return success/0 and set @uctx_len to the req size */
> > +     if (!uctx)
> > +             goto out;
>
> If the user just passes in *uctx_len=0, then they will get -E2BIG
> but still will get the length in *uctx_len.

Right, which is the desired behavior, this patch allows userspace to
not have to worry about supplying a buffer if they just want to check
the required size, regardless of the value passed in @uctx_len.

> To use it this new way, they have to first set *uctx_len to a
> value larger than nctx_len could possibly be, else they'll...
> still get -E2BIG.

True.

> So I'm not sure this patch has value.

Oh, but it resolves a kselftest failure in a released kernel, that's
worth a *lot* in my mind.

--
paul-moore.com