Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756323AbaJ2Sg1 (ORCPT ); Wed, 29 Oct 2014 14:36:27 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:41097 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756185AbaJ2Sg0 (ORCPT ); Wed, 29 Oct 2014 14:36:26 -0400 Date: Wed, 29 Oct 2014 21:36:12 +0300 From: Dan Carpenter To: Andy Lutomirski Cc: Mimi Zohar , "linux-kernel@vger.kernel.org" , LSM List , Linus Torvalds , "security@kernel.org" , James Morris Subject: Re: [GIT PULL] Fix for Integrity subsystem null pointer deref Message-ID: <20141029183612.GI6890@mwanda> References: <1414587599.5330.50.camel@dhcp-9-2-203-236.watson.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: acsinet22.oracle.com [141.146.126.238] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 29, 2014 at 09:23:45AM -0700, Andy Lutomirski wrote: > I have no idea what the semantics are. All I'm saying is that it > looks like the code still accesses memory past the end of the buffer. > The buffer isn't a null pointer, so the symptom is different, but it > may still be a security bug. > > --Andy It only reads one byte into the struct "xattr_data->type" so checking for non-zero is sufficient and the patch is fine. I fixed that exact same bug in lustre last week where the xattr size is not zero but it's less than the size of the struct. So this seems like maybe it could be a common anti-pattern though. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/