From: Petr Vorel <pvorel@suse.cz>
To: Andrea Cervesato <andrea.cervesato@suse.de>
Cc: linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Paul Eggert <eggert@cs.ucla.edu>,
ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v4 2/2] Add listxattr04 reproducer
Date: Tue, 22 Jul 2025 16:11:04 +0200 [thread overview]
Message-ID: <20250722141104.GC84869@pevik> (raw)
In-Reply-To: <20250722-xattr_bug_repr-v4-2-4be1e52e97c6@suse.com>
Hi Andrea,
FYI Andrea's LTP reproducer for a bug introduced in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b0ba61df5a1
and fixed in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=800d0b9b6a8b
> From: Andrea Cervesato <andrea.cervesato@suse.com>
> Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
> simple_xattr_list to always include security.* xattrs").
> Bug can be reproduced when SELinux and ACL are activated on inodes as
> following:
> $ touch testfile
> $ setfacl -m u:myuser:rwx testfile
> $ getfattr -dm. /tmp/testfile
> Segmentation fault (core dumped)
> The reason why this happens is that simple_xattr_list() always includes
> security.* xattrs without resetting error flag after
> security_inode_listsecurity(). This results into an incorrect length of the
> returned xattr name if POSIX ACL is also applied on the inode.
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> testcases/kernel/syscalls/listxattr/.gitignore | 1 +
> testcases/kernel/syscalls/listxattr/Makefile | 2 +
> testcases/kernel/syscalls/listxattr/listxattr04.c | 108 ++++++++++++++++++++++
> 3 files changed, 111 insertions(+)
> diff --git a/testcases/kernel/syscalls/listxattr/.gitignore b/testcases/kernel/syscalls/listxattr/.gitignore
> index be0675a6df0080d176d53d70194442bbc9ed376c..0d672b6ea5eec03aab37ee89316c56e24356c1d9 100644
> --- a/testcases/kernel/syscalls/listxattr/.gitignore
> +++ b/testcases/kernel/syscalls/listxattr/.gitignore
> @@ -1,3 +1,4 @@
> /listxattr01
> /listxattr02
> /listxattr03
> +/listxattr04
> diff --git a/testcases/kernel/syscalls/listxattr/Makefile b/testcases/kernel/syscalls/listxattr/Makefile
> index c2f84b1590fc24a7a98f890ea7706771d944aa79..e96bb3fa4c2c6b14b8d2bc8fd4c475e4789d72fe 100644
> --- a/testcases/kernel/syscalls/listxattr/Makefile
> +++ b/testcases/kernel/syscalls/listxattr/Makefile
> @@ -6,4 +6,6 @@ top_srcdir ?= ../../../..
> include $(top_srcdir)/include/mk/testcases.mk
> +listxattr04: LDLIBS += $(ACL_LIBS)
> +
> include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/syscalls/listxattr/listxattr04.c b/testcases/kernel/syscalls/listxattr/listxattr04.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..473ed45b5c2da8ff8e49c513eeb82158ec2dc066
> --- /dev/null
> +++ b/testcases/kernel/syscalls/listxattr/listxattr04.c
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
> + * simple_xattr_list to always include security.* xattrs").
> + *
> + * Bug can be reproduced when SELinux and ACL are activated on inodes as
> + * following:
> + *
> + * $ touch testfile
> + * $ setfacl -m u:myuser:rwx testfile
> + * $ getfattr -dm. /tmp/testfile
> + * Segmentation fault (core dumped)
> + *
> + * The reason why this happens is that simple_xattr_list() always includes
> + * security.* xattrs without resetting error flag after
> + * security_inode_listsecurity(). This results into an incorrect length of the
> + * returned xattr name if POSIX ACL is also applied on the inode.
> + */
> +
> +#include "config.h"
> +#include "tst_test.h"
> +
> +#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LIBACL)
> +
> +#include <pwd.h>
> +#include <sys/acl.h>
> +#include <sys/xattr.h>
> +
> +#define ACL_PERM "u::rw-,u:root:rwx,g::r--,o::r--,m::rwx"
> +#define TEST_FILE "test.bin"
> +
> +static acl_t acl;
> +
> +static void verify_xattr(const int size)
> +{
> + char buf[size];
> +
> + memset(buf, 0, sizeof(buf));
> +
> + if (listxattr(TEST_FILE, buf, size) == -1) {
> + if (errno != ERANGE)
> + tst_brk(TBROK | TERRNO, "listxattr() error");
The original verifier from RH bugreport check sizes and also works if size > -1
is returned, but I guess it's not necessary, because Andrea's reproducer works
as expected (fails on affected 6.16-rc1 based openSUSE kernel, works on 6.15.x).
LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2369561
> +
> + tst_res(TFAIL, "listxattr() failed to read attributes length: ERANGE");
> + return;
> + }
> +
> + tst_res(TPASS, "listxattr() correctly read attributes length");
> +}
> +
> +static void run(void)
> +{
> + int size;
> +
> + size = listxattr(TEST_FILE, NULL, 0);
> + if (size == -1)
> + tst_brk(TBROK | TERRNO, "listxattr() error");
> +
> + verify_xattr(size);
> +}
> +
> +static void setup(void)
> +{
> + int res;
> +
> + if (!tst_selinux_enabled())
> + tst_brk(TCONF, "SELinux is not enabled");
> +
> + SAFE_TOUCH(TEST_FILE, 0644, NULL);
> +
> + acl = acl_from_text(ACL_PERM);
> + if (!acl)
> + tst_brk(TBROK | TERRNO, "acl_from_text() failed");
> +
> + res = acl_set_file(TEST_FILE, ACL_TYPE_ACCESS, acl);
> + if (res == -1) {
> + if (errno == EOPNOTSUPP)
> + tst_brk(TCONF | TERRNO, "acl_set_file()");
> +
> + tst_brk(TBROK | TERRNO, "acl_set_file(%s) failed", TEST_FILE);
> + }
> +}
> +
> +static void cleanup(void)
> +{
> + if (acl)
> + acl_free(acl);
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .cleanup = cleanup,
> + .needs_root = 1,
> + .needs_tmpdir = 1,
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "800d0b9b6a8b"},
> + {}
> + }
> +};
> +
> +#else /* HAVE_SYS_XATTR_H && HAVE_LIBACL */
> + TST_TEST_TCONF("<sys/xattr.h> or <sys/acl.h> does not exist.");
> +#endif
--
Mailing list info: https://lists.linux.it/listinfo/ltp
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: Andrea Cervesato <andrea.cervesato@suse.de>
Cc: ltp@lists.linux.it,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Paul Eggert <eggert@cs.ucla.edu>,
linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [LTP] [PATCH v4 2/2] Add listxattr04 reproducer
Date: Tue, 22 Jul 2025 16:11:04 +0200 [thread overview]
Message-ID: <20250722141104.GC84869@pevik> (raw)
In-Reply-To: <20250722-xattr_bug_repr-v4-2-4be1e52e97c6@suse.com>
Hi Andrea,
FYI Andrea's LTP reproducer for a bug introduced in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b0ba61df5a1
and fixed in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=800d0b9b6a8b
> From: Andrea Cervesato <andrea.cervesato@suse.com>
> Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
> simple_xattr_list to always include security.* xattrs").
> Bug can be reproduced when SELinux and ACL are activated on inodes as
> following:
> $ touch testfile
> $ setfacl -m u:myuser:rwx testfile
> $ getfattr -dm. /tmp/testfile
> Segmentation fault (core dumped)
> The reason why this happens is that simple_xattr_list() always includes
> security.* xattrs without resetting error flag after
> security_inode_listsecurity(). This results into an incorrect length of the
> returned xattr name if POSIX ACL is also applied on the inode.
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> testcases/kernel/syscalls/listxattr/.gitignore | 1 +
> testcases/kernel/syscalls/listxattr/Makefile | 2 +
> testcases/kernel/syscalls/listxattr/listxattr04.c | 108 ++++++++++++++++++++++
> 3 files changed, 111 insertions(+)
> diff --git a/testcases/kernel/syscalls/listxattr/.gitignore b/testcases/kernel/syscalls/listxattr/.gitignore
> index be0675a6df0080d176d53d70194442bbc9ed376c..0d672b6ea5eec03aab37ee89316c56e24356c1d9 100644
> --- a/testcases/kernel/syscalls/listxattr/.gitignore
> +++ b/testcases/kernel/syscalls/listxattr/.gitignore
> @@ -1,3 +1,4 @@
> /listxattr01
> /listxattr02
> /listxattr03
> +/listxattr04
> diff --git a/testcases/kernel/syscalls/listxattr/Makefile b/testcases/kernel/syscalls/listxattr/Makefile
> index c2f84b1590fc24a7a98f890ea7706771d944aa79..e96bb3fa4c2c6b14b8d2bc8fd4c475e4789d72fe 100644
> --- a/testcases/kernel/syscalls/listxattr/Makefile
> +++ b/testcases/kernel/syscalls/listxattr/Makefile
> @@ -6,4 +6,6 @@ top_srcdir ?= ../../../..
> include $(top_srcdir)/include/mk/testcases.mk
> +listxattr04: LDLIBS += $(ACL_LIBS)
> +
> include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/syscalls/listxattr/listxattr04.c b/testcases/kernel/syscalls/listxattr/listxattr04.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..473ed45b5c2da8ff8e49c513eeb82158ec2dc066
> --- /dev/null
> +++ b/testcases/kernel/syscalls/listxattr/listxattr04.c
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
> + * simple_xattr_list to always include security.* xattrs").
> + *
> + * Bug can be reproduced when SELinux and ACL are activated on inodes as
> + * following:
> + *
> + * $ touch testfile
> + * $ setfacl -m u:myuser:rwx testfile
> + * $ getfattr -dm. /tmp/testfile
> + * Segmentation fault (core dumped)
> + *
> + * The reason why this happens is that simple_xattr_list() always includes
> + * security.* xattrs without resetting error flag after
> + * security_inode_listsecurity(). This results into an incorrect length of the
> + * returned xattr name if POSIX ACL is also applied on the inode.
> + */
> +
> +#include "config.h"
> +#include "tst_test.h"
> +
> +#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LIBACL)
> +
> +#include <pwd.h>
> +#include <sys/acl.h>
> +#include <sys/xattr.h>
> +
> +#define ACL_PERM "u::rw-,u:root:rwx,g::r--,o::r--,m::rwx"
> +#define TEST_FILE "test.bin"
> +
> +static acl_t acl;
> +
> +static void verify_xattr(const int size)
> +{
> + char buf[size];
> +
> + memset(buf, 0, sizeof(buf));
> +
> + if (listxattr(TEST_FILE, buf, size) == -1) {
> + if (errno != ERANGE)
> + tst_brk(TBROK | TERRNO, "listxattr() error");
The original verifier from RH bugreport check sizes and also works if size > -1
is returned, but I guess it's not necessary, because Andrea's reproducer works
as expected (fails on affected 6.16-rc1 based openSUSE kernel, works on 6.15.x).
LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2369561
> +
> + tst_res(TFAIL, "listxattr() failed to read attributes length: ERANGE");
> + return;
> + }
> +
> + tst_res(TPASS, "listxattr() correctly read attributes length");
> +}
> +
> +static void run(void)
> +{
> + int size;
> +
> + size = listxattr(TEST_FILE, NULL, 0);
> + if (size == -1)
> + tst_brk(TBROK | TERRNO, "listxattr() error");
> +
> + verify_xattr(size);
> +}
> +
> +static void setup(void)
> +{
> + int res;
> +
> + if (!tst_selinux_enabled())
> + tst_brk(TCONF, "SELinux is not enabled");
> +
> + SAFE_TOUCH(TEST_FILE, 0644, NULL);
> +
> + acl = acl_from_text(ACL_PERM);
> + if (!acl)
> + tst_brk(TBROK | TERRNO, "acl_from_text() failed");
> +
> + res = acl_set_file(TEST_FILE, ACL_TYPE_ACCESS, acl);
> + if (res == -1) {
> + if (errno == EOPNOTSUPP)
> + tst_brk(TCONF | TERRNO, "acl_set_file()");
> +
> + tst_brk(TBROK | TERRNO, "acl_set_file(%s) failed", TEST_FILE);
> + }
> +}
> +
> +static void cleanup(void)
> +{
> + if (acl)
> + acl_free(acl);
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .cleanup = cleanup,
> + .needs_root = 1,
> + .needs_tmpdir = 1,
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "800d0b9b6a8b"},
> + {}
> + }
> +};
> +
> +#else /* HAVE_SYS_XATTR_H && HAVE_LIBACL */
> + TST_TEST_TCONF("<sys/xattr.h> or <sys/acl.h> does not exist.");
> +#endif
next prev parent reply other threads:[~2025-07-22 14:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-22 6:55 [LTP] [PATCH v4 0/2] Add listxattr04 test reproducer Andrea Cervesato
2025-07-22 6:55 ` [LTP] [PATCH v4 1/2] core: add tst_selinux_enabled() utility Andrea Cervesato
2025-07-22 10:51 ` Petr Vorel
2025-07-22 12:06 ` Petr Vorel
2025-07-22 13:18 ` Stephen Smalley
2025-07-22 13:20 ` Stephen Smalley
2025-07-22 13:42 ` Petr Vorel
2025-07-22 13:48 ` Stephen Smalley
2025-07-23 11:17 ` Andrea Cervesato via ltp
2025-07-23 12:51 ` Petr Vorel
2025-07-23 11:19 ` Andrea Cervesato via ltp
2025-07-23 12:41 ` Petr Vorel
2025-07-23 12:43 ` Andrea Cervesato via ltp
2025-07-23 12:46 ` Stephen Smalley
2025-07-23 13:13 ` Stephen Smalley
2025-07-23 13:15 ` Andrea Cervesato via ltp
2025-07-23 19:50 ` Petr Vorel
2025-07-22 19:12 ` Wei Gao via ltp
2025-07-22 6:55 ` [LTP] [PATCH v4 2/2] Add listxattr04 reproducer Andrea Cervesato
2025-07-22 14:11 ` Petr Vorel [this message]
2025-07-22 14:11 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250722141104.GC84869@pevik \
--to=pvorel@suse.cz \
--cc=andrea.cervesato@suse.de \
--cc=eggert@cs.ucla.edu \
--cc=linux-fsdevel@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.