From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>,
Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>,
philippe.trebuchet@ssi.gouv.fr, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
casey@schaufler-ca.com, davem@davemloft.net,
lucien.xin@gmail.com, vgoyal@redhat.com, omosnace@redhat.com,
mortonm@chromium.org, nicolas.bouchinet@ssi.gouv.fr,
mic@digikod.net, cgzones@googlemail.com,
linux-security-module@vger.kernel.org, kpsingh@kernel.org,
revest@chromium.org, jackmanb@chromium.org, bpf@vger.kernel.org
Subject: Re: [PATCH v5] evm: Correct inode_init_security hooks behaviors
Date: Tue, 29 Nov 2022 14:10:06 +0100 [thread overview]
Message-ID: <b01474bc5f19e98ff30ddc16a5d783c84ed1a486.camel@huaweicloud.com> (raw)
In-Reply-To: <Y4YCElqX9jp5r8sO@archlinux>
On Tue, 2022-11-29 at 13:58 +0100, Nicolas Bouchinet wrote:
> Hi Mimi,
>
> On Tue, Nov 29, 2022 at 06:28:09AM -0500, Mimi Zohar wrote:
> > On Fri, 2022-11-25 at 16:57 +0100, Nicolas Bouchinet wrote:
> > > From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> > >
> > > Fixes a NULL pointer dereference occurring in the
> > > `evm_protected_xattr_common` function of the EVM LSM. The bug is
> > > triggered if a `inode_init_security` hook returns 0 without initializing
> > > the given `struct xattr` fields (which is the case of BPF) and if no
> > > other LSM overrides thoses fields after. This also leads to memory
> > > leaks.
> > >
> > > The `call_int_hook_xattr` macro has been inlined into the
> > > `security_inode_init_security` hook in order to check hooks return
> > > values and skip ones who doesn't init `xattrs`.
> > >
> > > Modify `evm_init_hmac` function to init the EVM hmac using every
> > > entry of the given xattr array.
> > >
> > > The `MAX_LSM_EVM_XATTR` value is now based on the security modules
> > > compiled in, which gives room for SMACK, SELinux, Apparmor, BPF and
> > > IMA/EVM security attributes.
> > >
> > > Changes the default return value of the `inode_init_security` hook
> > > definition to `-EOPNOTSUPP`.
> > >
> > > Changes the hook documentation to match the behavior of the LSMs using
> > > it (only xattr->value is initialised with kmalloc and thus is the only
> > > one that should be kfreed by the caller).
> > >
> > > Cc: roberto.sassu@huaweicloud.com
> > > Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> >
> > What is the relationship between this patch and Roberto's patch set?
> > Roberto, if there is an overlap, then at minimum there should be a
> > Reported-by tag indicating that your patch set addresses a bug reported
> > by Nicolas.
>
> This patch fixes the EVM NULL pointer dereference I have reported, and additionally
> improves the stackability of this LSM hook. This latter improvement was originally
> addressed by Roberto's patchset, and thus I see no problem for my fix to be merged
> within his patchset.
+ if (!num_filled_xattrs)
goto out;
- evm_xattr = lsm_xattr + 1;
- ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
+ ret = evm_inode_init_security(inode, new_xattrs,
+ new_xattrs + num_filled_xattrs);
This part of patch 4 should be enough to fix the issue, until EVM is
outside the LSM infrastructure.
It prevents EVM from being called if there are no xattrs filled (the
panic occurred due to xattr->name being NULL).
Then, this part of patch 6:
+ for (xattr = xattrs; xattr->value != NULL; xattr++) {
+ if (evm_protected_xattr(xattr->name))
+ evm_protected_xattrs = true;
+ }
+
+ /* EVM xattr not needed. */
+ if (!evm_protected_xattrs)
+ return -EOPNOTSUPP;
should be sufficient for when EVM is managed by the LSM infrastructure.
security_check_compact_filled_xattrs() ensures that if xattr->value is
not NULL, xattr->name is not NULL too.
Roberto
> > --
> > thanks,
> >
> > Mimi
> >
>
> Thanks for your time,
>
> Nicolas Bouchinet
next prev parent reply other threads:[~2022-11-29 13:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-25 15:57 [PATCH v5] evm: Correct inode_init_security hooks behaviors Nicolas Bouchinet
2022-11-29 11:28 ` Mimi Zohar
2022-11-29 12:21 ` Roberto Sassu
2022-11-29 12:58 ` Nicolas Bouchinet
2022-11-29 13:10 ` Roberto Sassu [this message]
2022-11-29 14:31 ` Nicolas Bouchinet
2022-11-29 14:33 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b01474bc5f19e98ff30ddc16a5d783c84ed1a486.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=davem@davemloft.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=kpsingh@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=mic@digikod.net \
--cc=mortonm@chromium.org \
--cc=nicolas.bouchinet@clip-os.org \
--cc=nicolas.bouchinet@ssi.gouv.fr \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=philippe.trebuchet@ssi.gouv.fr \
--cc=revest@chromium.org \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).