lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
authorCasey Schaufler <casey@schaufler-ca.com>
Tue, 19 Sep 2017 16:39:08 +0000 (09:39 -0700)
committerJames Morris <james.l.morris@oracle.com>
Wed, 4 Oct 2017 07:03:15 +0000 (18:03 +1100)
security_inode_getsecurity() provides the text string value
of a security attribute. It does not provide a "secctx".
The code in xattr_getsecurity() that calls security_inode_getsecurity()
and then calls security_release_secctx() happened to work because
SElinux and Smack treat the attribute and the secctx the same way.
It fails for cap_inode_getsecurity(), because that module has no
secctx that ever needs releasing. It turns out that Smack is the
one that's doing things wrong by not allocating memory when instructed
to do so by the "alloc" parameter.

The fix is simple enough. Change the security_release_secctx() to
kfree() because it isn't a secctx being returned by
security_inode_getsecurity(). Change Smack to allocate the string when
told to do so.

Note: this also fixes memory leaks for LSMs which implement
inode_getsecurity but not release_secctx, such as capabilities.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
fs/xattr.c
security/smack/smack_lsm.c

index 4424f7fecf14549b65c62d0cac4b8b692718f426..61cd28ba25f364df5af103277924befb6d4a39a0 100644 (file)
@@ -250,7 +250,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
        }
        memcpy(value, buffer, len);
 out:
-       security_release_secctx(buffer, len);
+       kfree(buffer);
 out_noalloc:
        return len;
 }
index 319add31b4a4ee7b5464d2a15782289ecb110ce7..286171a16ed255e20c396fca595600488c059c2d 100644 (file)
@@ -1473,7 +1473,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
  * @inode: the object
  * @name: attribute name
  * @buffer: where to put the result
- * @alloc: unused
+ * @alloc: duplicate memory
  *
  * Returns the size of the attribute or an error code
  */
@@ -1486,43 +1486,38 @@ static int smack_inode_getsecurity(struct inode *inode,
        struct super_block *sbp;
        struct inode *ip = (struct inode *)inode;
        struct smack_known *isp;
-       int ilen;
-       int rc = 0;
 
-       if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+       if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
                isp = smk_of_inode(inode);
-               ilen = strlen(isp->smk_known);
-               *buffer = isp->smk_known;
-               return ilen;
-       }
+       else {
+               /*
+                * The rest of the Smack xattrs are only on sockets.
+                */
+               sbp = ip->i_sb;
+               if (sbp->s_magic != SOCKFS_MAGIC)
+                       return -EOPNOTSUPP;
 
-       /*
-        * The rest of the Smack xattrs are only on sockets.
-        */
-       sbp = ip->i_sb;
-       if (sbp->s_magic != SOCKFS_MAGIC)
-               return -EOPNOTSUPP;
+               sock = SOCKET_I(ip);
+               if (sock == NULL || sock->sk == NULL)
+                       return -EOPNOTSUPP;
 
-       sock = SOCKET_I(ip);
-       if (sock == NULL || sock->sk == NULL)
-               return -EOPNOTSUPP;
-
-       ssp = sock->sk->sk_security;
+               ssp = sock->sk->sk_security;
 
-       if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-               isp = ssp->smk_in;
-       else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
-               isp = ssp->smk_out;
-       else
-               return -EOPNOTSUPP;
+               if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+                       isp = ssp->smk_in;
+               else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+                       isp = ssp->smk_out;
+               else
+                       return -EOPNOTSUPP;
+       }
 
-       ilen = strlen(isp->smk_known);
-       if (rc == 0) {
-               *buffer = isp->smk_known;
-               rc = ilen;
+       if (alloc) {
+               *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
+               if (*buffer == NULL)
+                       return -ENOMEM;
        }
 
-       return rc;
+       return strlen(isp->smk_known);
 }