From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Tue, 29 May 2018 12:31:32 +0000
Subject: Re: [PATCH] EVM: Fix null dereference on xattr when xattr fails to allocate
Message-Id: <1527597092.10176.17.camel@linux.vnet.ibm.com>
List-Id: <kernel-janitors.vger.kernel.org>
References: <20180527225510.25612-1-colin.king@canonical.com>
         <20180529090504.6dpdadjyjxo45nu2@mwanda>
In-Reply-To: <20180529090504.6dpdadjyjxo45nu2@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: Dan Carpenter <dan.carpenter@oracle.com>, Colin King <colin.king@canonical.com>
Cc: Matthew Garrett <mjg59@google.com>, James Morris <jmorris@namei.org>, "Serge E . Hallyn" <serge@hallyn.com>, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org

Hi Dan,

On Tue, 2018-05-29 at 12:05 +0300, Dan Carpenter wrote:
> Not really related to this patch except I was looking at the function:
>=20
> security/integrity/evm/evm_secfs.c
>    191          ab =3D audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_=
EVM_XATTR);
>    192          if (IS_ERR(ab))
>    193                  return PTR_ERR(ab);
>    194 =20
>    195          xattr =3D kmalloc(sizeof(struct xattr_list), GFP_KERNEL);
>    196          if (!xattr) {
>    197                  err =3D -ENOMEM;
>    198                  goto out;
>    199          }
>    200 =20
>    201          xattr->name =3D memdup_user_nul(buf, count);
>    202          if (IS_ERR(xattr->name)) {
>    203                  err =3D PTR_ERR(xattr->name);
>    204                  xattr->name =3D NULL;
>    205                  goto out;
>    206          }
>    207 =20
>    208          /* Remove any trailing newline */
>    209          len =3D strlen(xattr->name);
>    210          if (xattr->name[len-1] =3D '\n')
>=20
> strlen() could be zero, leading to a read underflow here.

Thanks! =C2=A0Could you modify the maximum xattr size check (before this
code snippet) to check for underflow?

Mimi


>=20
>    211                  xattr->name[len-1] =3D '\0';
>    212 =20
>    213          if (strcmp(xattr->name, ".") =3D 0) {
>    214                  evm_xattrs_locked =3D 1;
>    215                  newattrs.ia_mode =3D S_IFREG | 0440;
>    216                  newattrs.ia_valid =3D ATTR_MODE;
>    217                  inode =3D evm_xattrs->d_inode;
>    218                  inode_lock(inode);
>    219                  err =3D simple_setattr(evm_xattrs, &newattrs);
>    220                  inode_unlock(inode);
>    221                  audit_log_format(ab, "locked");
>    222                  if (!err)
>    223                          err =3D count;
>    224                  goto out;
>    225          }
>=20
> regards,
> dan carpenter
>=20

--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html