Merge branch 'fixes-v4.14-rc4' of...

Merge branch 'fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull smack fix from James Morris: "It fixes a bug in xattr_getsecurity() where security_release_secctx() was being called instead of kfree(), which leads to a memory leak in the capabilities code. smack_inode_getsecurity is also fixed to behave correctly when called from there" * 'fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: lsm: fix smack_inode_removexattr and xattr_getsecurity memleak

Merge branch 'fixes-v4.14-rc4' of...
Merge branch 'fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull smack fix from James Morris: "It fixes a bug in xattr_getsecurity() where security_release_secctx() was being called instead of kfree(), which leads to a memory leak in the capabilities code. smack_inode_getsecurity is also fixed to behave correctly when called from there" * 'fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
6c795b30 · Linus Torvalds · 013a8ee6 · 57e7ba04 · 6c795b30 · 6c795b30
Commit 6c795b30 authored Oct 04, 2017 by Linus Torvalds
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 31 deletions

fs/xattr.c fs/xattr.c +1 -1

security/smack/smack_lsm.c security/smack/smack_lsm.c +25 -30

No files found.
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -250,7 +250,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
 	}
 	memcpy(value, buffer, len);
 out:
-	security_release_secctx(buffer, len);
+	kfree(buffer);
 out_noalloc:
 	return len;
 }

--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1473,7 +1473,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
 * @inode: the object
 * @name: attribute name
 * @buffer: where to put the result
- * @alloc: unused
+ * @alloc: duplicate memory
 *
 * Returns the size of the attribute or an error code
 */
@@ -1486,43 +1486,38 @@ static int smack_inode_getsecurity(struct inode *inode,
 	struct super_block *sbp;
 	struct inode *ip = (struct inode *)inode;
 	struct smack_known *isp;
-	int ilen;
-	int rc = 0;
-	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
 		isp = smk_of_inode(inode);
-		ilen = strlen(isp->smk_known);
+	else {
-		*buffer = isp->smk_known;
+		/*
-		return ilen;
+		 * The rest of the Smack xattrs are only on sockets.
-	}
+		 */
+		sbp = ip->i_sb;
+		if (sbp->s_magic != SOCKFS_MAGIC)
+			return -EOPNOTSUPP;
-	/*
+		sock = SOCKET_I(ip);
-	 * The rest of the Smack xattrs are only on sockets.
+		if (sock == NULL || sock->sk == NULL)
-	 */
+			return -EOPNOTSUPP;
-	sbp = ip->i_sb;
-	if (sbp->s_magic != SOCKFS_MAGIC)
-		return -EOPNOTSUPP;
-	sock = SOCKET_I(ip);
+		ssp = sock->sk->sk_security;
-	if (sock == NULL || sock->sk == NULL)
-		return -EOPNOTSUPP;
-	ssp = sock->sk->sk_security;
-	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+		if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-		isp = ssp->smk_in;
+			isp = ssp->smk_in;
-	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+		else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
-		isp = ssp->smk_out;
+			isp = ssp->smk_out;
-	else
+		else
-		return -EOPNOTSUPP;
+			return -EOPNOTSUPP;
+	}
-	ilen = strlen(isp->smk_known);
+	if (alloc) {
-	if (rc == 0) {
+		*buffer = kstrdup(isp->smk_known, GFP_KERNEL);
-		*buffer = isp->smk_known;
+		if (*buffer == NULL)
-		rc = ilen;
+			return -ENOMEM;
 	}
-	return rc;
+	return strlen(isp->smk_known);
 }