[PATCH] evm: zero-initialize the evm_xattrs read buffer
Roberto Sassu
roberto.sassu at huaweicloud.com
Mon Apr 13 15:20:04 UTC 2026
On Tue, 2026-04-07 at 14:09 +0800, Pengpeng Hou wrote:
> evm_read_xattrs() allocates size + 1 bytes, fills them from the list of
> enabled xattrs and then passes strlen(temp) to simple_read_from_buffer().
> When no configured xattrs are enabled, the fill loop stores nothing and
> temp[0] remains uninitialized, so strlen() reads beyond initialized
> memory.
>
> Use kzalloc() so the empty-list case stays a valid empty C string.
Please also add the Fixes: tag with the relevant commit.
> Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
> ---
> security/integrity/evm/evm_secfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
> index acd840461902..03d376fa36c2 100644
> --- a/security/integrity/evm/evm_secfs.c
> +++ b/security/integrity/evm/evm_secfs.c
> @@ -145,7 +145,7 @@ static ssize_t evm_read_xattrs(struct file *filp, char __user *buf,
> size += strlen(xattr->name) + 1;
> }
>
> - temp = kmalloc(size + 1, GFP_KERNEL);
> + temp = kzalloc(size + 1, GFP_KERNEL);
Yes, or just set temp[size] to the terminator so that we don't waste
computation. Can you also change sprintf() to snprintf()?
Thanks
Roberto
> if (!temp) {
> mutex_unlock(&xattr_list_mutex);
> return -ENOMEM;
More information about the Linux-security-module-archive
mailing list