From: sashiko-bot@kernel.org
To: "David Windsor" <dwindsor@gmail.com>
Cc: selinux@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling
Date: Wed, 08 Jul 2026 00:20:29 +0000 [thread overview]
Message-ID: <20260708002030.53D9A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708000956.46138-2-dwindsor@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Heap buffer overflow in `security_lsmxattr_add()` due to xattr quota bypass by BPF programs.
- [Medium] `security_lsmxattr_add()` incorrectly returns `-EINVAL` instead of `-EOPNOTSUPP` when the xattr array is not allocated.
--
--- Patch [1]: [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling ---
commit 871b3020e8c69372708886992716ee08d2e36bc2
Author: David Windsor <dwindsor@gmail.com>
security: rework inode_init_security xattr handling
In preparation for bpf_init_inode_xattr(), a kfunc that lets bpf LSM
programs atomically label new inodes, rework how inode_init_security
xattrs are managed.
> diff --git a/security/security.c b/security/security.c
> --- a/security/security.c
> +++ b/security/security.c
[ ... ]
> +/**
> + * security_lsmxattr_add() - Add an xattr during inode_init_security
> + * @xattrs: xattr state shared by inode_init_security hooks
> + * @lsm_id: LSM_ID_* value identifying the calling LSM
> + * @name: xattr name suffix
> + * @value: xattr value
> + * @value_len: length of @value
> + *
> + * Claim an xattr slot in @xattrs on behalf of the LSM identified by
> + * @lsm_id and fill it with a copy of @name and @value. Callers can invoke
> + * this function from non-sleepable context.
> + *
> + * Return: Returns 0 on success, -ENOSPC if the calling LSM's slot budget
> + * is exhausted, negative values on other errors.
> + */
> +int security_lsmxattr_add(struct lsm_xattrs *xattrs, u64 lsm_id,
> + const char *name, const void *value,
> + size_t value_len)
> +{
> + struct xattr *xattr;
> + void *xattr_value;
> + size_t name_len;
> +
> + if (!xattrs || !xattrs->xattrs || !name || !value)
> + return -EINVAL;
[Severity: Medium]
Should this return -EOPNOTSUPP instead of -EINVAL when the xattrs array
is not allocated?
During file creation on filesystems without xattr support,
security_inode_init_security() is called with initxattrs == NULL,
deliberately leaving xattrs.xattrs unallocated.
If a BPF program then calls security_lsmxattr_add(), it will receive
-EINVAL. If the BPF program propagates this error, it will abort the
inode creation entirely because security_inode_init_security() only
treats -EOPNOTSUPP as a graceful fallback.
> +
> + name_len = strlen(name);
> + if (name_len == 0 || name_len > XATTR_NAME_MAX)
> + return -EINVAL;
> + if (value_len == 0 || value_len > XATTR_SIZE_MAX)
> + return -EINVAL;
> +
> + switch (lsm_id) {
> +#ifdef CONFIG_BPF_LSM
> + case LSM_ID_BPF:
> + if (lsm_xattrs_used(xattrs, XATTR_BPF_LSM_SUFFIX) >=
> + BPF_LSM_INODE_INIT_XATTRS)
> + return -ENOSPC;
[Severity: High]
Can this limit check be bypassed, leading to a heap buffer overflow?
If a BPF program repeatedly calls security_lsmxattr_add() with a name
that does not begin with XATTR_BPF_LSM_SUFFIX, lsm_xattrs_used() will
not count them.
This allows bypassing the BPF_LSM_INODE_INIT_XATTRS limit. Since
lsm_get_xattr_slot() does not check against the actual allocated heap
size, it will increment ctx->xattr_count and return out-of-bounds
pointers:
include/linux/lsm_hooks.h:lsm_get_xattr_slot() {
...
return &ctx->xattrs[ctx->xattr_count++];
}
Could this cause out-of-bounds writes when assigning xattr->value and
xattr->name further down in this function?
> + break;
> +#endif /* CONFIG_BPF_LSM */
> + default:
> + return -EINVAL;
> + }
> +
> + /* Combine xattr value + name into one allocation. */
> + xattr_value = kmalloc(value_len + name_len + 1, GFP_NOWAIT);
> + if (!xattr_value)
> + return -ENOMEM;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260708000956.46138-1-dwindsor@gmail.com?part=1
next prev parent reply other threads:[~2026-07-08 0:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 0:09 [PATCH v5 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-07-08 0:09 ` [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling David Windsor
2026-07-08 0:20 ` sashiko-bot [this message]
2026-07-08 0:31 ` David Windsor
2026-07-08 0:09 ` [PATCH v5 bpf-next 2/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-07-08 0:20 ` sashiko-bot
2026-07-08 0:09 ` [PATCH v5 bpf-next 3/3] selftests/bpf: add tests for bpf_init_inode_xattr kfunc David Windsor
2026-07-08 0:17 ` sashiko-bot
2026-07-08 3:12 ` [PATCH v5 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling Kumar Kartikeya Dwivedi
2026-07-08 12:51 ` David Windsor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708002030.53D9A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dwindsor@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox