* [PATCH] tomoyo: reject short exec.envp[] names before suffix checks
@ 2026-04-17 7:32 Pengpeng Hou
2026-04-17 9:09 ` Tetsuo Handa
2026-04-23 22:53 ` Pengpeng Hou
0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-04-17 7:32 UTC (permalink / raw)
To: Kentaro Takeda, Tetsuo Handa
Cc: Paul Moore, James Morris, Serge E. Hallyn, linux-security-module,
linux-kernel, Pengpeng Hou, stable
tomoyo_parse_envp() assumes that the left-hand side still ends with the
closing '"' and ']' from an exec.envp["..."] condition and immediately
backs up from strlen(left) - 1 to verify that suffix.
If policy input leaves an empty or one-byte string here, the parser
reads before the start of the token while checking for the suffix.
Reject left-hand strings that are too short to contain the required '"]'
terminator before dereferencing the trailing characters.
Fixes: 5b636857fee6 ("TOMOYO: Allow using argv[]/envp[] of execve() as conditions.")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
security/tomoyo/condition.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/condition.c b/security/tomoyo/condition.c
index f8bcc083bb0d..1fa8343df4b3 100644
--- a/security/tomoyo/condition.c
+++ b/security/tomoyo/condition.c
@@ -320,7 +320,13 @@ static bool tomoyo_parse_envp(char *left, char *right,
{
const struct tomoyo_path_info *name;
const struct tomoyo_path_info *value;
- char *cp = left + strlen(left) - 1;
+ size_t len = strlen(left);
+ char *cp;
+
+ if (len < 2)
+ goto out;
+
+ cp = left + len - 1;
if (*cp-- != ']' || *cp != '"')
goto out;
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] tomoyo: reject short exec.envp[] names before suffix checks
2026-04-17 7:32 [PATCH] tomoyo: reject short exec.envp[] names before suffix checks Pengpeng Hou
@ 2026-04-17 9:09 ` Tetsuo Handa
2026-04-23 22:53 ` Pengpeng Hou
1 sibling, 0 replies; 3+ messages in thread
From: Tetsuo Handa @ 2026-04-17 9:09 UTC (permalink / raw)
To: Pengpeng Hou
Cc: Paul Moore, James Morris, Serge E. Hallyn, linux-security-module,
linux-kernel
Thank you for a patch, but I don't think we need to apply this patch.
The caller is
if (!strncmp(left_word, "exec.envp[\"", 11)) {
(...snipped...)
if (!tomoyo_parse_envp(left_word + 11, right_word, envp++)) goto out;
(...snipped...)
}
where the left-hand string is guaranteed to be safely dereferenced.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] tomoyo: reject short exec.envp[] names before suffix checks
2026-04-17 7:32 [PATCH] tomoyo: reject short exec.envp[] names before suffix checks Pengpeng Hou
2026-04-17 9:09 ` Tetsuo Handa
@ 2026-04-23 22:53 ` Pengpeng Hou
1 sibling, 0 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-04-23 22:53 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Kentaro Takeda, Paul Moore, James Morris, Serge Hallyn,
linux-security-module, linux-kernel, pengpeng
Hi Tetsuo,
Thanks for the explanation.
Agreed, I missed that the left-hand string is already guaranteed to be
safely dereferenced at that call site. I'll drop this patch.
Thanks,
Pengpeng
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-23 22:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 7:32 [PATCH] tomoyo: reject short exec.envp[] names before suffix checks Pengpeng Hou
2026-04-17 9:09 ` Tetsuo Handa
2026-04-23 22:53 ` Pengpeng Hou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox