BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "David Windsor" <dwindsor@gmail.com>
Cc: selinux@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling
Date: Wed, 08 Jul 2026 00:20:29 +0000	[thread overview]
Message-ID: <20260708002030.53D9A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260708000956.46138-2-dwindsor@gmail.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Heap buffer overflow in `security_lsmxattr_add()` due to xattr quota bypass by BPF programs.
- [Medium] `security_lsmxattr_add()` incorrectly returns `-EINVAL` instead of `-EOPNOTSUPP` when the xattr array is not allocated.
--

--- Patch [1]: [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling ---
commit 871b3020e8c69372708886992716ee08d2e36bc2
Author: David Windsor <dwindsor@gmail.com>

security: rework inode_init_security xattr handling

In preparation for bpf_init_inode_xattr(), a kfunc that lets bpf LSM
programs atomically label new inodes, rework how inode_init_security
xattrs are managed.

> diff --git a/security/security.c b/security/security.c
> --- a/security/security.c
> +++ b/security/security.c

[ ... ]

> +/**
> + * security_lsmxattr_add() - Add an xattr during inode_init_security
> + * @xattrs: xattr state shared by inode_init_security hooks
> + * @lsm_id: LSM_ID_* value identifying the calling LSM
> + * @name: xattr name suffix
> + * @value: xattr value
> + * @value_len: length of @value
> + *
> + * Claim an xattr slot in @xattrs on behalf of the LSM identified by
> + * @lsm_id and fill it with a copy of @name and @value. Callers can invoke
> + * this function from non-sleepable context.
> + *
> + * Return: Returns 0 on success, -ENOSPC if the calling LSM's slot budget
> + *         is exhausted, negative values on other errors.
> + */
> +int security_lsmxattr_add(struct lsm_xattrs *xattrs, u64 lsm_id,
> +			  const char *name, const void *value,
> +			  size_t value_len)
> +{
> +	struct xattr *xattr;
> +	void *xattr_value;
> +	size_t name_len;
> +
> +	if (!xattrs || !xattrs->xattrs || !name || !value)
> +		return -EINVAL;

[Severity: Medium]
Should this return -EOPNOTSUPP instead of -EINVAL when the xattrs array
is not allocated?

During file creation on filesystems without xattr support,
security_inode_init_security() is called with initxattrs == NULL,
deliberately leaving xattrs.xattrs unallocated.

If a BPF program then calls security_lsmxattr_add(), it will receive
-EINVAL. If the BPF program propagates this error, it will abort the
inode creation entirely because security_inode_init_security() only
treats -EOPNOTSUPP as a graceful fallback.

> +
> +	name_len = strlen(name);
> +	if (name_len == 0 || name_len > XATTR_NAME_MAX)
> +		return -EINVAL;
> +	if (value_len == 0 || value_len > XATTR_SIZE_MAX)
> +		return -EINVAL;
> +
> +	switch (lsm_id) {
> +#ifdef CONFIG_BPF_LSM
> +	case LSM_ID_BPF:
> +		if (lsm_xattrs_used(xattrs, XATTR_BPF_LSM_SUFFIX) >=
> +		    BPF_LSM_INODE_INIT_XATTRS)
> +			return -ENOSPC;

[Severity: High]
Can this limit check be bypassed, leading to a heap buffer overflow?

If a BPF program repeatedly calls security_lsmxattr_add() with a name
that does not begin with XATTR_BPF_LSM_SUFFIX, lsm_xattrs_used() will
not count them.

This allows bypassing the BPF_LSM_INODE_INIT_XATTRS limit. Since
lsm_get_xattr_slot() does not check against the actual allocated heap
size, it will increment ctx->xattr_count and return out-of-bounds
pointers:

include/linux/lsm_hooks.h:lsm_get_xattr_slot() {
    ...
    return &ctx->xattrs[ctx->xattr_count++];
}

Could this cause out-of-bounds writes when assigning xattr->value and
xattr->name further down in this function?

> +		break;
> +#endif /* CONFIG_BPF_LSM */
> +	default:
> +		return -EINVAL;
> +	}
> +
> +	/* Combine xattr value + name into one allocation. */
> +	xattr_value = kmalloc(value_len + name_len + 1, GFP_NOWAIT);
> +	if (!xattr_value)
> +		return -ENOMEM;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260708000956.46138-1-dwindsor@gmail.com?part=1

  reply	other threads:[~2026-07-08  0:20 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  0:09 [PATCH v5 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-07-08  0:09 ` [PATCH v5 bpf-next 1/3] security: rework inode_init_security xattr handling David Windsor
2026-07-08  0:20   ` sashiko-bot [this message]
2026-07-08  0:31     ` David Windsor
2026-07-08  0:09 ` [PATCH v5 bpf-next 2/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling David Windsor
2026-07-08  0:20   ` sashiko-bot
2026-07-08  0:09 ` [PATCH v5 bpf-next 3/3] selftests/bpf: add tests for bpf_init_inode_xattr kfunc David Windsor
2026-07-08  0:17   ` sashiko-bot
2026-07-08  3:12 ` [PATCH v5 bpf-next 0/3] bpf: add bpf_init_inode_xattr kfunc for atomic inode labeling Kumar Kartikeya Dwivedi
2026-07-08 12:51   ` David Windsor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708002030.53D9A1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=dwindsor@gmail.com \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox