From: sashiko-bot@kernel.org
To: "David Windsor" <dwindsor@gmail.com>
Cc: selinux@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling
Date: Wed, 08 Jul 2026 00:20:29 +0000 [thread overview]
Message-ID: <20260708002030.53D9A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708000956.46138-2-dwindsor@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Heap buffer overflow in `security_lsmxattr_add()` due to xattr quota bypass by BPF programs.
- [Medium] `security_lsmxattr_add()` incorrectly returns `-EINVAL` instead of `-EOPNOTSUPP` when the xattr array is not allocated.
--
--- Patch [1]: [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling ---
commit 871b3020e8c69372708886992716ee08d2e36bc2
Author: David Windsor <dwindsor@gmail.com>
security: rework inode_init_security xattr handling
In preparation for bpf_init_inode_xattr(), a kfunc that lets bpf LSM
programs atomically label new inodes, rework how inode_init_security
xattrs are managed.
> diff --git a/security/security.c b/security/security.c
> --- a/security/security.c
> +++ b/security/security.c
[ ... ]
> +/**
> + * security_lsmxattr_add() - Add an xattr during inode_init_security
> + * @xattrs: xattr state shared by inode_init_security hooks
> + * @lsm_id: LSM_ID_* value identifying the calling LSM
> + * @name: xattr name suffix
> + * @value: xattr value
> + * @value_len: length of @value
> + *
> + * Claim an xattr slot in @xattrs on behalf of the LSM identified by
> + * @lsm_id and fill it with a copy of @name and @value. Callers can invoke
> + * this function from non-sleepable context.
> + *
> + * Return: Returns 0 on success, -ENOSPC if the calling LSM's slot budget
> + * is exhausted, negative values on other errors.
> + */
> +int security_lsmxattr_add(struct lsm_xattrs *xattrs, u64 lsm_id,
> + const char *name, const void *value,
> + size_t value_len)
> +{
> + struct xattr *xattr;
> + void *xattr_value;
> + size_t name_len;
> +
> + if (!xattrs || !xattrs->xattrs || !name || !value)
> + return -EINVAL;
[Severity: Medium]
Should this return -EOPNOTSUPP instead of -EINVAL when the xattrs array
is not allocated?
During file creation on filesystems without xattr support,
security_inode_init_security() is called with initxattrs == NULL,
deliberately leaving xattrs.xattrs unallocated.
If a BPF program then calls security_lsmxattr_add(), it will receive
-EINVAL. If the BPF program propagates this error, it will abort the
inode creation entirely because security_inode_init_security() only
treats -EOPNOTSUPP as a graceful fallback.
> +
> + name_len = strlen(name);
> + if (name_len == 0 || name_len > XATTR_NAME_MAX)
> + return -EINVAL;
> + if (value_len == 0 || value_len > XATTR_SIZE_MAX)
> + return -EINVAL;
> +
> + switch (lsm_id) {
> +#ifdef CONFIG_BPF_LSM
> + case LSM_ID_BPF:
> + if (lsm_xattrs_used(xattrs, XATTR_BPF_LSM_SUFFIX) >=
> + BPF_LSM_INODE_INIT_XATTRS)
> + return -ENOSPC;
[Severity: High]
Can this limit check be bypassed, leading to a heap buffer overflow?
If a BPF program repeatedly calls security_lsmxattr_add() with a name
that does not begin with XATTR_BPF_LSM_SUFFIX, lsm_xattrs_used() will
not count them.
This allows bypassing the BPF_LSM_INODE_INIT_XATTRS limit. Since
lsm_get_xattr_slot() does not check against the actual allocated heap
size, it will increment ctx->xattr_count and return out-of-bounds
pointers:
include/linux/lsm_hooks.h:lsm_get_xattr_slot() {
...
return &ctx->xattrs[ctx->xattr_count++];
}
Could this cause out-of-bounds writes when assigning xattr->value and
xattr->name further down in this function?
> + break;
> +#endif /* CONFIG_BPF_LSM */
> + default:
> + return -EINVAL;
> + }
> +
> + /* Combine xattr value + name into one allocation. */
> + xattr_value = kmalloc(value_len + name_len + 1, GFP_NOWAIT);
> + if (!xattr_value)
> + return -ENOMEM;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260708000956.46138-1-dwindsor@gmail.com?part=1
next prev parent reply other threads:[~2026-07-08 0:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 0:09 [PATCH v5 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-07-08 0:09 ` [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling David Windsor
2026-07-08 0:20 ` sashiko-bot [this message]
2026-07-08 0:31 ` David Windsor
2026-07-08 0:09 ` [PATCH v5 bpf-next 2/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-07-08 0:20 ` sashiko-bot
2026-07-08 0:09 ` [PATCH v5 bpf-next 3/3] selftests/bpf: add tests for bpf_init_inode_xattr kfunc David Windsor
2026-07-08 0:17 ` sashiko-bot
2026-07-08 3:12 ` [PATCH v5 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling Kumar Kartikeya Dwivedi
2026-07-08 12:51 ` David Windsor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708002030.53D9A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dwindsor@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.