From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A766396B97 for ; Sat, 18 Apr 2026 23:08:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776553719; cv=none; b=DanDHt60LAyoPHZPahssA+Ule2DHzwXfSvvWb8YJCPamsAg4Ecvg93s+hk/S6cQzbptsMLYeFLJDcaaJQ0skwirf1BtIFQfGHaCQRqDyNqzXn2DaTBS88VG8oi95MZhFGpLdY4FouzE48saXjcFCZ71PV/jtI7ksL4gwcpSBaTM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776553719; c=relaxed/simple; bh=Xar4WmIgCE2sEueWRogWtI/LcIsN6hYef9Fkw6uWnIQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jt1YMR6rbemkDVQCn2p+//4kpUAJ+1aKzFUPXeaXOJi4iGoCFfTH2Kg20a5hM4eD3nG6gpOowWiN46y26GI9xt7iS6okAD/sUhTHP4Vka0uucLCQiMv0A3v0H6iqksu7hg6IyrJdUD1w6Yt/hA4Li+sg8/TUvVVqRt57Ejoub24= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Nc8x+fkL; arc=none smtp.client-ip=209.85.128.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Nc8x+fkL" Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-7b41fdf9de2so12876527b3.0 for ; Sat, 18 Apr 2026 16:08:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776553716; x=1777158516; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=QDLBwLu2Osjs067OAPxTWdOsEiACtCr2ZJS7OWNSDmU=; b=Nc8x+fkL9qtiX9YPOgvJ7Z+Bb36HJhLdTNZe7s5v5bpawRLtP+8JQ9G0CluZ1eYzCz G3k4VD5z3g97Ceiz9imYe3gJ2XVrsGRvbHL4p8M0RNRgiRph6DM5Cokg5qkmBDNcLCBc 06IAIDvXrIT4J3CNjIUXIVrDnLJ78Wm83PSwwjf4KOVGG4VPSauquGiW5gFX1u+vIe+4 Lj3TXNgT/ABfbMQi4/dRYv+PAv8DLZG8yLdwax6vHXfsmURhva2MeMqMbwfTh1a9yK/+ 6teqOhn7fdqUz34CGqsDqPpQXMBzGZWwCOXTo/uzrYy2CeXQnd0S2reo3YNZ1HcBZKN8 2WWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776553716; x=1777158516; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QDLBwLu2Osjs067OAPxTWdOsEiACtCr2ZJS7OWNSDmU=; b=WRAkID5DbR5CklUpnSCLKqGct8Y/7iwKo11ZXL7i36SCA4f4Wf/G9qU8vqWEsKzjzQ XYIr2V57w0rjiO1v9owa+F3Zt8oskPzmKaqSnCe9lpOl3Ntozc72loN0uzLgfXDjc2XX JI/N48p5IiUyIrlUa1p931VRxhzhH+QnnIRgPFP+BgjaVj1d8GedUuMbI9M2ELs2FTMq fSszTMbY2r1b/ZlO9kCu+vbACsmiKV84JGsPqcHJmjA8gABZQnzMK/U9QJ+mlb7lwhyw Le96xJ08KmbnvhqNY1wP5+TiOuh20MuKbGgxdstEeAIIvqw+ryBjA6p8LVZwLlH6OxaO cefw== X-Forwarded-Encrypted: i=1; AFNElJ/xuBthBlptUumpLzo6sXlLUswjJAbZo/zf+lUr3irV99UzPrEW3wp1axr1VqyiGiHO97zqPvDk9CLB51Y=@vger.kernel.org X-Gm-Message-State: AOJu0Yz2HDp6MTiZN/3VQJWPFdt2OvB8osVh1Pfv+BxV1xeNrmEhC4+f Ay5fAKfQW+xanSAPRgMY4br5C/qflItWuAYbdvMX1Dy06hap8Pquk3Sn1Q0SmQ== X-Gm-Gg: AeBDiev8LwsBLR4w9B8TWL52z/RWVM8Hd9kfg/EFMbhw1viYUtHK6p7PgsA2HsZMkmj Lq4ADmU9GxBxm8iInUOqqNMUryazp+YNxyPJvTQmonjGDX5dQiFF7+9nx09Y2epzh9qQmu+815k 6GpY/Md33vXaUDEpo1ccYixbIUiGojPEW6z7Z87eA7+v3tvfPSD/b3k9tBaNgcxeyChVTuKB2XH tcc43ddYXnjuB+Ba0cIhqBe00jH1ms1hY2Raq04QfZ1jMP9ymr9N8g/waEwO+T5t8+hFoQ9eLWm q/zDaxy7uki9w/qdv1fXh46wJONEaahKkyoLNyr9a/YQuOJ3N6SvjzjQTmFL6CJ80ZrN5tQKbN9 +PeNDsxJ0rcsu+hsaJaoq6FmTL27Sg2cGy49j91mytw7OIEoTAKrQkUb7YETY4YBlsC5ssXW8O8 uQLWtvCe4YZdlXbs6+cLm7ufpkuJx2d7sTm2VsJKQpMSwI1ncRjUIIxDhZT5MhDBmmkqX7qH5H8 +Ln/Hwt0lNYvQ== X-Received: by 2002:a05:690c:399:b0:79c:c51c:7f4a with SMTP id 00721157ae682-7b9ed002905mr87916127b3.46.1776553716465; Sat, 18 Apr 2026 16:08:36 -0700 (PDT) Received: from suesslenovo ([2600:1700:18fb:6011:3b24:58f5:5e89:7648]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7b9ee99bc3bsm24805917b3.27.2026.04.18.16.08.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Apr 2026 16:08:36 -0700 (PDT) Date: Sat, 18 Apr 2026 19:08:34 -0400 From: Justin Suess To: =?utf-8?B?546L5b+X?= <23009200614@stu.xidian.edu.cn> Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, paul@paul-moore.com Subject: Re: [BUG] landlock: warning in collect_domain_accesses via renameat2 path rename Message-ID: References: <25536ce2.4391.19d9b3484ff.Coremail.23009200614@stu.xidian.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <25536ce2.4391.19d9b3484ff.Coremail.23009200614@stu.xidian.edu.cn> On Fri, Apr 17, 2026 at 07:30:03PM +0800, 王志 wrote: > Dear Maintainers, > > When using our customized Syzkaller to fuzz the latest Linux kernel, we discovered a crash related to Landlock during a path rename operation. > > HEAD commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 This is the initial 6.18 release, without the stable backported fixes. > git tree: upstream > > Reproducer and logs: > Output: https://github.com/manual0/crash/blob/main/cebd27007e806e16cf15cb1e0214c24054e8998e/report1 > Kernel config: https://github.com/manual0/crash/blob/main/6.18-syzbot.config > C reproducer: https://github.com/manual0/crash/blob/main/cebd27007e806e16cf15cb1e0214c24054e8998e/repro.c > > ---------------------------------------- > > Analysis: > > The crash is triggered through the following path: > > renameat2 > → security_path_rename > → current_check_refer_path > → collect_domain_accesses > > This indicates that a path rename operation triggers Landlock's path access control checks. The crash occurs inside collect_domain_accesses(), which is responsible for collecting the current process's domain access rights. > > The bug is caused by collect_domain_accesses() traversing inconsistent or invalid Landlock ruleset data during rename path permission checks, leading to unsafe memory access. > ---------------------------------------- > > If you fix this issue, please add the following tag to the commit: > > Reported-by: Zhi Wang > This was fixed in 6.18.2 with cadb28f8b3fd6908e3051e86158c65c3a8e1c907 (landlock: Fix handling of disconnected directories) [1] So this has been fixed upstream and backported already. Please target fuzzing against a supported tag. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.18.y&id=cadb28f8b3fd6908e3051e86158c65c3a8e1c907 Justin > Thanks, > Zhi Wang