Re: [PATCH v2] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()
On Fri, May 31, 2019 at 11:45:28AM -0400, Paul Moore wrote: > On Thu, May 30, 2019 at 9:34 PM Gen Zhang wrote: > > > > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It > > returns NULL when fails. So 'arg' should be checked. > > > > Signed-off-by: Gen Zhang > > Reviewed-by: Ondrej Mosnacek > > Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") > > One quick note about the subject line, instead of using "hooks:" you > should use "selinux:" since this is specific to SELinux. If the patch > did apply to the LSM framework as a whole, I would suggest using > "lsm:" instead of "hooks:" as "hooks" is too ambiguous of a prefix. > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 3ec702c..5a9e959 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -2635,6 +2635,8 @@ static int selinux_sb_eat_lsm_opts(char *options, > > void **mnt_opts) > > *q++ = c; > > } > > arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); > > + if (!arg) > > + return -ENOMEM; > > It seems like we should also check for, and potentially free *mnt_opts > as the selinux_add_opt() error handling does just below this change, > yes? If that is the case we might want to move that error handling > code to the bottom of the function and jump there on error. > > > } > > rc = selinux_add_opt(token, arg, mnt_opts); > > if (unlikely(rc)) { > > -- > paul moore > www.paul-moore.com Yes, I agree with that. And I will work on this to resubmit. Thanks Gen
Re: [PATCH v2] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()
On Thu, May 30, 2019 at 9:34 PM Gen Zhang wrote: > > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It > returns NULL when fails. So 'arg' should be checked. > > Signed-off-by: Gen Zhang > Reviewed-by: Ondrej Mosnacek > Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") One quick note about the subject line, instead of using "hooks:" you should use "selinux:" since this is specific to SELinux. If the patch did apply to the LSM framework as a whole, I would suggest using "lsm:" instead of "hooks:" as "hooks" is too ambiguous of a prefix. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3ec702c..5a9e959 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2635,6 +2635,8 @@ static int selinux_sb_eat_lsm_opts(char *options, void > **mnt_opts) > *q++ = c; > } > arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); > + if (!arg) > + return -ENOMEM; It seems like we should also check for, and potentially free *mnt_opts as the selinux_add_opt() error handling does just below this change, yes? If that is the case we might want to move that error handling code to the bottom of the function and jump there on error. > } > rc = selinux_add_opt(token, arg, mnt_opts); > if (unlikely(rc)) { -- paul moore www.paul-moore.com
[PATCH v2] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()
In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It returns NULL when fails. So 'arg' should be checked. Signed-off-by: Gen Zhang Reviewed-by: Ondrej Mosnacek Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3ec702c..5a9e959 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2635,6 +2635,8 @@ static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) *q++ = c; } arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); + if (!arg) + return -ENOMEM; } rc = selinux_add_opt(token, arg, mnt_opts); if (unlikely(rc)) {
Re: [PATCH v2] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()
On Thu, May 30, 2019 at 4:52 AM Ondrej Mosnacek wrote: > > On Thu, May 30, 2019 at 10:51 AM Gen Zhang wrote: > > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It > > returns NULL when fails. So 'arg' should be checked. > > > > Signed-off-by: Gen Zhang > > Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") > > --- > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 3ec702c..5a9e959 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -2635,6 +2635,8 @@ static int selinux_sb_eat_lsm_opts(char *options, > > void **mnt_opts) > > *q++ = c; > > } > > arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); > > + if (!arg) > > + return -ENOMEM; Yeah -ENOMEM is correct here. Ack by me. > > } > > rc = selinux_add_opt(token, arg, mnt_opts); > > if (unlikely(rc)) { > > Looking at the callers of security_sb_eat_lsm_opts() (which is the > function that eventually calls the selinux_sb_eat_lsm_opts() hook), > -ENOMEM should be appropriate here. > > Reviewed-by: Ondrej Mosnacek > > -- > Ondrej Mosnacek > Software Engineer, Security Technologies > Red Hat, Inc.
Re: [PATCH v2] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()
On Thu, May 30, 2019 at 10:51 AM Gen Zhang wrote: > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It > returns NULL when fails. So 'arg' should be checked. > > Signed-off-by: Gen Zhang > Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") > --- > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 3ec702c..5a9e959 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2635,6 +2635,8 @@ static int selinux_sb_eat_lsm_opts(char *options, void > **mnt_opts) > *q++ = c; > } > arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); > + if (!arg) > + return -ENOMEM; > } > rc = selinux_add_opt(token, arg, mnt_opts); > if (unlikely(rc)) { Looking at the callers of security_sb_eat_lsm_opts() (which is the function that eventually calls the selinux_sb_eat_lsm_opts() hook), -ENOMEM should be appropriate here. Reviewed-by: Ondrej Mosnacek -- Ondrej Mosnacek Software Engineer, Security Technologies Red Hat, Inc.
[PATCH v2] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()
In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It returns NULL when fails. So 'arg' should be checked. Signed-off-by: Gen Zhang Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()") --- diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3ec702c..5a9e959 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2635,6 +2635,8 @@ static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) *q++ = c; } arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); + if (!arg) + return -ENOMEM; } rc = selinux_add_opt(token, arg, mnt_opts); if (unlikely(rc)) {