On Mon, Apr 1, 2019 at 6:34 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> The implementation of kernfs_security_xattr_*() helpers reuses the
> kernfs_node_xattr_*() functions, which take the suffix of the xattr name
> and extract full xattr name from it using xattr_full_name(). However,
> this function relies on the fact that the suffix passed to xattr
> handlers from VFS is always constructed from the full name by just
> incerementing the pointer. This doesn't necessarily hold for the callers
> of kernfs_security_xattr_*(), so their usage will easily lead to
> out-of-bounds access.
>
> Fix this by moving the xattr name reconstruction to the VFS xattr
> handlers and replacing the kernfs_security_xattr_*() helpers with more
> general kernfs_xattr_*() helpers that take full xattr name and allow
> accessing all kernfs node's xattrs.
>
> Reported-by: kernel test robot <rong.a.chen@xxxxxxxxx>
> Fixes: b230d5aba2d1 ("LSM: add new hook for kernfs node initialization")
> Fixes: ec882da5cda9 ("selinux: implement the kernfs_init_security hook")
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
>
> v3: simplify kernfs xattr helpers as per Paul's suggestion
> v2: just rebase to update diff context
>
> fs/kernfs/inode.c | 62 ++++++++++++++--------------------------
> include/linux/kernfs.h | 18 ++++++------
> security/selinux/hooks.c | 9 +++---
> 3 files changed, 33 insertions(+), 56 deletions(-)
This is better, thanks. Merged into selinux/next.
--
paul moore
www.paul-moore.com
