From: Petr Vorel <pvorel@suse.cz>
To: Andrea Cervesato <andrea.cervesato@suse.de>
Cc: ltp@lists.linux.it,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Paul Eggert <eggert@cs.ucla.edu>,
linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [LTP] [PATCH v4 2/2] Add listxattr04 reproducer
Date: Tue, 22 Jul 2025 16:11:04 +0200 [thread overview]
Message-ID: <20250722141104.GC84869@pevik> (raw)
In-Reply-To: <20250722-xattr_bug_repr-v4-2-4be1e52e97c6@suse.com>
Hi Andrea,
FYI Andrea's LTP reproducer for a bug introduced in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b0ba61df5a1
and fixed in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=800d0b9b6a8b
> From: Andrea Cervesato <andrea.cervesato@suse.com>
> Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
> simple_xattr_list to always include security.* xattrs").
> Bug can be reproduced when SELinux and ACL are activated on inodes as
> following:
> $ touch testfile
> $ setfacl -m u:myuser:rwx testfile
> $ getfattr -dm. /tmp/testfile
> Segmentation fault (core dumped)
> The reason why this happens is that simple_xattr_list() always includes
> security.* xattrs without resetting error flag after
> security_inode_listsecurity(). This results into an incorrect length of the
> returned xattr name if POSIX ACL is also applied on the inode.
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> testcases/kernel/syscalls/listxattr/.gitignore | 1 +
> testcases/kernel/syscalls/listxattr/Makefile | 2 +
> testcases/kernel/syscalls/listxattr/listxattr04.c | 108 ++++++++++++++++++++++
> 3 files changed, 111 insertions(+)
> diff --git a/testcases/kernel/syscalls/listxattr/.gitignore b/testcases/kernel/syscalls/listxattr/.gitignore
> index be0675a6df0080d176d53d70194442bbc9ed376c..0d672b6ea5eec03aab37ee89316c56e24356c1d9 100644
> --- a/testcases/kernel/syscalls/listxattr/.gitignore
> +++ b/testcases/kernel/syscalls/listxattr/.gitignore
> @@ -1,3 +1,4 @@
> /listxattr01
> /listxattr02
> /listxattr03
> +/listxattr04
> diff --git a/testcases/kernel/syscalls/listxattr/Makefile b/testcases/kernel/syscalls/listxattr/Makefile
> index c2f84b1590fc24a7a98f890ea7706771d944aa79..e96bb3fa4c2c6b14b8d2bc8fd4c475e4789d72fe 100644
> --- a/testcases/kernel/syscalls/listxattr/Makefile
> +++ b/testcases/kernel/syscalls/listxattr/Makefile
> @@ -6,4 +6,6 @@ top_srcdir ?= ../../../..
> include $(top_srcdir)/include/mk/testcases.mk
> +listxattr04: LDLIBS += $(ACL_LIBS)
> +
> include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/syscalls/listxattr/listxattr04.c b/testcases/kernel/syscalls/listxattr/listxattr04.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..473ed45b5c2da8ff8e49c513eeb82158ec2dc066
> --- /dev/null
> +++ b/testcases/kernel/syscalls/listxattr/listxattr04.c
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
> + * simple_xattr_list to always include security.* xattrs").
> + *
> + * Bug can be reproduced when SELinux and ACL are activated on inodes as
> + * following:
> + *
> + * $ touch testfile
> + * $ setfacl -m u:myuser:rwx testfile
> + * $ getfattr -dm. /tmp/testfile
> + * Segmentation fault (core dumped)
> + *
> + * The reason why this happens is that simple_xattr_list() always includes
> + * security.* xattrs without resetting error flag after
> + * security_inode_listsecurity(). This results into an incorrect length of the
> + * returned xattr name if POSIX ACL is also applied on the inode.
> + */
> +
> +#include "config.h"
> +#include "tst_test.h"
> +
> +#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LIBACL)
> +
> +#include <pwd.h>
> +#include <sys/acl.h>
> +#include <sys/xattr.h>
> +
> +#define ACL_PERM "u::rw-,u:root:rwx,g::r--,o::r--,m::rwx"
> +#define TEST_FILE "test.bin"
> +
> +static acl_t acl;
> +
> +static void verify_xattr(const int size)
> +{
> + char buf[size];
> +
> + memset(buf, 0, sizeof(buf));
> +
> + if (listxattr(TEST_FILE, buf, size) == -1) {
> + if (errno != ERANGE)
> + tst_brk(TBROK | TERRNO, "listxattr() error");
The original verifier from RH bugreport check sizes and also works if size > -1
is returned, but I guess it's not necessary, because Andrea's reproducer works
as expected (fails on affected 6.16-rc1 based openSUSE kernel, works on 6.15.x).
LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2369561
> +
> + tst_res(TFAIL, "listxattr() failed to read attributes length: ERANGE");
> + return;
> + }
> +
> + tst_res(TPASS, "listxattr() correctly read attributes length");
> +}
> +
> +static void run(void)
> +{
> + int size;
> +
> + size = listxattr(TEST_FILE, NULL, 0);
> + if (size == -1)
> + tst_brk(TBROK | TERRNO, "listxattr() error");
> +
> + verify_xattr(size);
> +}
> +
> +static void setup(void)
> +{
> + int res;
> +
> + if (!tst_selinux_enabled())
> + tst_brk(TCONF, "SELinux is not enabled");
> +
> + SAFE_TOUCH(TEST_FILE, 0644, NULL);
> +
> + acl = acl_from_text(ACL_PERM);
> + if (!acl)
> + tst_brk(TBROK | TERRNO, "acl_from_text() failed");
> +
> + res = acl_set_file(TEST_FILE, ACL_TYPE_ACCESS, acl);
> + if (res == -1) {
> + if (errno == EOPNOTSUPP)
> + tst_brk(TCONF | TERRNO, "acl_set_file()");
> +
> + tst_brk(TBROK | TERRNO, "acl_set_file(%s) failed", TEST_FILE);
> + }
> +}
> +
> +static void cleanup(void)
> +{
> + if (acl)
> + acl_free(acl);
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .cleanup = cleanup,
> + .needs_root = 1,
> + .needs_tmpdir = 1,
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "800d0b9b6a8b"},
> + {}
> + }
> +};
> +
> +#else /* HAVE_SYS_XATTR_H && HAVE_LIBACL */
> + TST_TEST_TCONF("<sys/xattr.h> or <sys/acl.h> does not exist.");
> +#endif
parent reply other threads:[~2025-07-22 14:11 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <20250722-xattr_bug_repr-v4-2-4be1e52e97c6@suse.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250722141104.GC84869@pevik \
--to=pvorel@suse.cz \
--cc=andrea.cervesato@suse.de \
--cc=eggert@cs.ucla.edu \
--cc=linux-fsdevel@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).