| Message ID | a800496b-cae9-81bf-c79e-d8342418c5be@I-love.SAKURA.ne.jp (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | reiserfs: Initialize sec->length in reiserfs_security_init(). | expand |
On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > syzbot is reporting that sec->length is not initialized. > > Since security_inode_init_security() returns 0 when initxattrs is provided > but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will > reach to "if (sec->length && ...) {" without initializing sec->length. > > Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com> > Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()") > --- > fs/reiserfs/xattr_security.c | 1 + > 1 file changed, 1 insertion(+) Adding the LSM list to the CC line. > diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c > index 6e0a099dd788..078dd8cc312f 100644 > --- a/fs/reiserfs/xattr_security.c > +++ b/fs/reiserfs/xattr_security.c > @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode, > > sec->name = NULL; > sec->value = NULL; > + sec->length = 0; > > /* Don't add selinux attributes on xattrs - they'll never get used */ > if (IS_PRIVATE(dir)) > -- > 2.18.4
On Sat, May 20, 2023 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote: > On Thu, May 11, 2023 at 10:49 AM Tetsuo Handa > <penguin-kernel@i-love.sakura.ne.jp> wrote: > > > > syzbot is reporting that sec->length is not initialized. > > > > Since security_inode_init_security() returns 0 when initxattrs is provided > > but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will > > reach to "if (sec->length && ...) {" without initializing sec->length. > > > > Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com> > > Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c > > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > > Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()") > > --- > > fs/reiserfs/xattr_security.c | 1 + > > 1 file changed, 1 insertion(+) > > Adding the LSM list to the CC line. I haven't seen any objections, and it looks reasonable to me so I've gone ahead and merged it into lsm/next. This is arguably lsm/stable-6.4 material, but I'm going to stick with lsm/next in hopes that Roberto can resolve the other reiserfs issue and we can push all the reiser fixes up to Linus in one shot. The reality is that LSM xattrs have been broken on reiserfs for a long time and no one has complained, I figure a few more weeks isn't going to matter that much. Regardless, thanks for digging into this syzbot failure and sending a patch. > > diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c > > index 6e0a099dd788..078dd8cc312f 100644 > > --- a/fs/reiserfs/xattr_security.c > > +++ b/fs/reiserfs/xattr_security.c > > @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode, > > > > sec->name = NULL; > > sec->value = NULL; > > + sec->length = 0; > > > > /* Don't add selinux attributes on xattrs - they'll never get used */ > > if (IS_PRIVATE(dir)) > > -- > > 2.18.4
diff --git a/fs/reiserfs/xattr_security.c b/fs/reiserfs/xattr_security.c index 6e0a099dd788..078dd8cc312f 100644 --- a/fs/reiserfs/xattr_security.c +++ b/fs/reiserfs/xattr_security.c @@ -67,6 +67,7 @@ int reiserfs_security_init(struct inode *dir, struct inode *inode, sec->name = NULL; sec->value = NULL; + sec->length = 0; /* Don't add selinux attributes on xattrs - they'll never get used */ if (IS_PRIVATE(dir))
syzbot is reporting that sec->length is not initialized. Since security_inode_init_security() returns 0 when initxattrs is provided but call_int_hook(inode_init_security) returned -EOPNOTSUPP, control will reach to "if (sec->length && ...) {" without initializing sec->length. Reported-by: syzbot <syzbot+00a3779539a23cbee38c@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=00a3779539a23cbee38c Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: 52ca4b6435a4 ("reiserfs: Switch to security_inode_init_security()") --- fs/reiserfs/xattr_security.c | 1 + 1 file changed, 1 insertion(+)