Merge branch 'fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull smack fix from James Morris: "It fixes a bug in xattr_getsecurity() where security_release_secctx() was being called instead of kfree(), which leads to a memory leak in the capabilities code. smack_inode_getsecurity is also fixed to behave correctly when called from there" * 'fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-10-04 12:21:58 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-10-04 12:21:58 -0400
commit: 6c795b30f46ff7efec0039095045c2012416670e (patch)
tree: 5c336215e9356d856d3adf130bdb3078028a485c
parent: 013a8ee6284280f8032cadfec37bcc3cfbfff81b (diff)
parent: 57e7ba04d422c3d41c8426380303ec9b7533ded9 (diff)
2 files changed, 26 insertions, 31 deletions
diff --git a/fs/xattr.c b/fs/xattr.c
index 4424f7fecf14..61cd28ba25f3 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -250,7 +250,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
        }
        memcpy(value, buffer, len);
 out:
-        security_release_secctx(buffer, len);
+        kfree(buffer);
 out_noalloc:
        return len;
 }
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 319add31b4a4..286171a16ed2 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1473,7 +1473,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
 * @inode: the object
 * @name: attribute name
 * @buffer: where to put the result
- * @alloc: unused
+ * @alloc: duplicate memory
 *
 * Returns the size of the attribute or an error code
 */
@@ -1486,43 +1486,38 @@ static int smack_inode_getsecurity(struct inode *inode,
        struct super_block *sbp;
        struct inode *ip = (struct inode *)inode;
        struct smack_known *isp;
-        int ilen;
-        int rc = 0;
-        if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+        if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
                isp = smk_of_inode(inode);
-                ilen = strlen(isp->smk_known);
+        else {
-                *buffer = isp->smk_known;
+                /*
-                return ilen;
+                 * The rest of the Smack xattrs are only on sockets.
-        }
+                 */
+                sbp = ip->i_sb;
+                if (sbp->s_magic != SOCKFS_MAGIC)
+                        return -EOPNOTSUPP;
-        /*
+                sock = SOCKET_I(ip);
-         * The rest of the Smack xattrs are only on sockets.
+                if (sock == NULL || sock->sk == NULL)
-         */
+                        return -EOPNOTSUPP;
-        sbp = ip->i_sb;
-        if (sbp->s_magic != SOCKFS_MAGIC)
-                return -EOPNOTSUPP;
-        sock = SOCKET_I(ip);
+                ssp = sock->sk->sk_security;
-        if (sock == NULL || sock->sk == NULL)
-                return -EOPNOTSUPP;
-        ssp = sock->sk->sk_security;
-        if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+                if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-                isp = ssp->smk_in;
+                        isp = ssp->smk_in;
-        else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+                else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
-                isp = ssp->smk_out;
+                        isp = ssp->smk_out;
-        else
+                else
-                return -EOPNOTSUPP;
+                        return -EOPNOTSUPP;
+        }
-        ilen = strlen(isp->smk_known);
+        if (alloc) {
-        if (rc == 0) {
+                *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
-                *buffer = isp->smk_known;
+                if (*buffer == NULL)
-                rc = ilen;
+                        return -ENOMEM;
        }
-        return rc;
+        return strlen(isp->smk_known);
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-10-04 12:21:58 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-10-04 12:21:58 -0400
commit	6c795b30f46ff7efec0039095045c2012416670e (patch)
tree	5c336215e9356d856d3adf130bdb3078028a485c
parent	013a8ee6284280f8032cadfec37bcc3cfbfff81b (diff)
parent	57e7ba04d422c3d41c8426380303ec9b7533ded9 (diff)

diff --git a/fs/xattr.c b/fs/xattr.c index 4424f7fecf14..61cd28ba25f3 100644 --- a/fs/xattr.c +++ b/fs/xattr.c
@@ -250,7 +250,7 @@ xattr_getsecurity(struct inode inode, const char name, void *value,
250	}	250	}
251	memcpy(value, buffer, len);	251	memcpy(value, buffer, len);
252	out:	252	out:
253	security_release_secctx(buffer, len);	253	kfree(buffer);
254	out_noalloc:	254	out_noalloc:
255	return len;	255	return len;
256	}	256	}


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 319add31b4a4..286171a16ed2 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -1473,7 +1473,7 @@ static int smack_inode_removexattr(struct dentry dentry, const char name)
1473	* @inode: the object	1473	* @inode: the object
1474	* @name: attribute name	1474	* @name: attribute name
1475	* @buffer: where to put the result	1475	* @buffer: where to put the result
1476	* @alloc: unused	1476	* @alloc: duplicate memory
1477	*	1477	*
1478	* Returns the size of the attribute or an error code	1478	* Returns the size of the attribute or an error code
1479	*/	1479	*/
@@ -1486,43 +1486,38 @@ static int smack_inode_getsecurity(struct inode *inode,
1486	struct super_block *sbp;	1486	struct super_block *sbp;
1487	struct inode ip = (struct inode )inode;	1487	struct inode ip = (struct inode )inode;
1488	struct smack_known *isp;	1488	struct smack_known *isp;
1489	int ilen;
1490	int rc = 0;
1491		1489
1492	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {	1490	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
1493	isp = smk_of_inode(inode);	1491	isp = smk_of_inode(inode);
1494	ilen = strlen(isp->smk_known);	1492	else {
1495	*buffer = isp->smk_known;	1493	/*
1496	return ilen;	1494	* The rest of the Smack xattrs are only on sockets.
1497	}	1495	*/
		1496	sbp = ip->i_sb;
		1497	if (sbp->s_magic != SOCKFS_MAGIC)
		1498	return -EOPNOTSUPP;
1498		1499
1499	/*	1500	sock = SOCKET_I(ip);
1500	* The rest of the Smack xattrs are only on sockets.	1501	if (sock == NULL \|\| sock->sk == NULL)
1501	*/	1502	return -EOPNOTSUPP;
1502	sbp = ip->i_sb;
1503	if (sbp->s_magic != SOCKFS_MAGIC)
1504	return -EOPNOTSUPP;
1505		1503
1506	sock = SOCKET_I(ip);	1504	ssp = sock->sk->sk_security;
1507	if (sock == NULL \|\| sock->sk == NULL)
1508	return -EOPNOTSUPP;
1509
1510	ssp = sock->sk->sk_security;
1511		1505
1512	if (strcmp(name, XATTR_SMACK_IPIN) == 0)	1506	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
1513	isp = ssp->smk_in;	1507	isp = ssp->smk_in;
1514	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)	1508	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
1515	isp = ssp->smk_out;	1509	isp = ssp->smk_out;
1516	else	1510	else
1517	return -EOPNOTSUPP;	1511	return -EOPNOTSUPP;
		1512	}
1518		1513
1519	ilen = strlen(isp->smk_known);	1514	if (alloc) {
1520	if (rc == 0) {	1515	*buffer = kstrdup(isp->smk_known, GFP_KERNEL);
1521	*buffer = isp->smk_known;	1516	if (*buffer == NULL)
1522	rc = ilen;	1517	return -ENOMEM;
1523	}	1518	}
1524		1519
1525	return rc;	1520	return strlen(isp->smk_known);
1526	}	1521	}
1527		1522
1528		1523