Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3570595ybi; Mon, 10 Jun 2019 12:32:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqybnu7WryO4M8ON0uxSSWn28tI7evkHeEVtUozYunxdP2wSuZY7uARDCAXjdwqIrDFSWcuS X-Received: by 2002:a17:902:740c:: with SMTP id g12mr17802972pll.128.1560195170139; Mon, 10 Jun 2019 12:32:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560195170; cv=none; d=google.com; s=arc-20160816; b=c0AbG65bmlpcRx9gGCwdsDLzAStDhXaMARkZ29ajiEAWiRESZ9avTwn0oLujx9329O JiY5lr0kq2L8iR1+VpZ0qu92YtUE1T9rA3zyzHsN1UF7MplOtdV2Tqn2tvjyheg6msAv waxkv6UI0gOXNTsZUFT+C7ALEJh+J+cVVRAYl67S1CXUa+H2xmcwd+q6p10zrb88F7DL R6UGYySW8y9Bg/tqXrtJzSKrSKxFPlecS8dWbZorrcyJx2F+6Y1eNPZ3lso7iTS3nSWi +esIqTFNBzgtNH5NpO7p0wfYd63KYLugyckW7esPn862DTSlnq3LPRSYuxbLcKVRGGcp HFjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IIoSsHs2Gt3kHbX+cuP9jRibTu3kMb1fSTDPWFLywq4=; b=ktTBZ+JhWKpNP09qJarb1OYVzhb1Pl910+x2ZzMhZeKj0QNaiPaQgCaEqhVtpd76ye z9A5PAJGAE5sFMqouh6XSumrXahwVn7sRFoBJ2FJ+PpUWIri0Eso/U/HTQkaaaXtrvNJ BXWcBzjYC4aeNY+f9jUsTa1hr80QvaM/HOPE0aazEs6qh5xyqIy/kZT9i+kI2cil7nop rooznViHTmygHq+ML5sobMaarFpbt3J2g5O0CJv7XaQv1Dk3EPDihwr2q2QFTebYbf22 jUPnCwAJt5kDHqIf2aXH2dm0XgE373LAOHnE3oWOWZKcGAgpE+jvoGqbo+hyMPz+ZT1B BXQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=oKO4mbCl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y2si1526588pgh.524.2019.06.10.12.32.35; Mon, 10 Jun 2019 12:32:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=oKO4mbCl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389129AbfFJTcF (ORCPT + 99 others); Mon, 10 Jun 2019 15:32:05 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:45713 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389141AbfFJTcE (ORCPT ); Mon, 10 Jun 2019 15:32:04 -0400 Received: by mail-lf1-f66.google.com with SMTP id u10so7464732lfm.12 for ; Mon, 10 Jun 2019 12:32:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IIoSsHs2Gt3kHbX+cuP9jRibTu3kMb1fSTDPWFLywq4=; b=oKO4mbClwNDoCgUwCV9hFQelTUY+xAsbBQi8UXkaFFyxhzWF/FXpxQnPGBCRuSgfrN VLnPReDyxOanh93THZAyuRf18DZQLhRc9AdKcjG1fvNU3nc0NcslkzYjzk5r4KC7lA3T fHDSdZJQKDGB5Mgl9VB8V6UnMZESUdQdUUVSlTKHHLFCBkRavW8xXCQB4u/rcpNraDUL Zvr4WKdbV7BlJtsMg4qjWfYbJ2oFXIBh8sLbEk9dGSxvqmG8ZimxO+99J3ytAS378x8I iMwBcbKpuTZrkiNSkV1Nx17sKx+9zwJKNzQ9opk9OdqoZRwmoaF2S+Z3WY9cmyi2WgXD JOkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IIoSsHs2Gt3kHbX+cuP9jRibTu3kMb1fSTDPWFLywq4=; b=W4p4vWWEO/ZoeTHLVjP1RWyNeh5Y5DOlgLMADf89CycyH7Sfl2PPJmG/KRytqjpl+c sFMoAV8b3lITbXZUcfDRsd39TWneSC+w53/OrcGMvCRjzGeq+AhD6QuP8kemEp35/tOK A0mGuL1ZIYhcTxhzSo3ZHCE72R6YvMzU+osWi589mFphZMnnxxhW5xvNCmA92mqbeARX unXjtpFb/GBJK+LjqM1hyj2FZGyA/ZyUBJ2dhVxduwG0Ymt7V9UH8pNbnZy5dVMFJn8h waBI8SXz9JFKLA2VdgoQSxUoCab1iWMYexMZ8+BgEXFAhsp0vFnZ5T7WaMeS3qhqupSj 8Stg== X-Gm-Message-State: APjAAAXsty7YZpZfpbuvpUH3dS7D4ln0bkUp8OY9UkbN0Pjg//bYyap6 mlk1pmW0gSG/6IBNg8E8waoD64xjwyVP8UiENdGP X-Received: by 2002:ac2:4109:: with SMTP id b9mr4940972lfi.31.1560195121827; Mon, 10 Jun 2019 12:32:01 -0700 (PDT) MIME-Version: 1.0 References: <20190606092342.GA21672@zhanggen-UX430UQ> <20190607121134.GA3357@zhanggen-UX430UQ> In-Reply-To: <20190607121134.GA3357@zhanggen-UX430UQ> From: Paul Moore Date: Mon, 10 Jun 2019 15:31:50 -0400 Message-ID: Subject: Re: [PATCH v3] selinux: lsm: fix a missing-check bug in selinux_add_mnt_opt( ) To: Gen Zhang Cc: Ondrej Mosnacek , Stephen Smalley , Eric Paris , selinux@vger.kernel.org, Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 7, 2019 at 8:11 AM Gen Zhang wrote: > > On Fri, Jun 07, 2019 at 10:39:05AM +0200, Ondrej Mosnacek wrote: > > On Thu, Jun 6, 2019 at 11:23 AM Gen Zhang wrote: > > > In selinux_add_mnt_opt(), 'val' is allocated by kmemdup_nul(). It returns > > > NULL when fails. So 'val' should be checked. And 'mnt_opts' should be > > > freed when error. > > > > > > Signed-off-by: Gen Zhang > > > Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()") > > > --- > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index 3ec702c..4e4c1c6 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -1052,15 +1052,23 @@ static int selinux_add_mnt_opt(const char *option, const char *val, int len, > > > if (token == Opt_error) > > > return -EINVAL; > > > > > > - if (token != Opt_seclabel) > > > - val = kmemdup_nul(val, len, GFP_KERNEL); > > > + if (token != Opt_seclabel) { > > > + val = kmemdup_nul(val, len, GFP_KERNEL); > > > + if (!val) { > > > + rc = -ENOMEM; > > > + goto free_opt; > > > + } > > > + } > > > rc = selinux_add_opt(token, val, mnt_opts); > > > if (unlikely(rc)) { > > > kfree(val); > > > - if (*mnt_opts) { > > > - selinux_free_mnt_opts(*mnt_opts); > > > - *mnt_opts = NULL; > > > - } > > > + goto free_opt; > > > + } > > > + return rc; > > > > At this point rc is guaranteed to be 0, so you can just 'return 0' for > > clarity. Also, I visually prefer an empty line between a return > > statement and a goto label, but I'm not sure what is the > > general/maintainer's preference. > > Am I supposed to revise and send a patch v4 for this, or let the > maintainer do this? :-) First a few things from my perspective: I don't really care too much about the difference between returning "0" and "rc" here, one could argue that "0" is cleaner and that "rc" is "safer". To me it isn't a big deal and generally isn't something I would even comment on unless there was something else in the patch that needed addressing. I care a more about the style choice of having an empty line between the return and the start of the goto targets (vertical whitespace before the jump targets is good, please include it), but once again, I'm not sure I would comment on that. The patch subject line is a bit confusing in that we already discussed when to use "selinux" and when to use "lsm", but I imagine there might be some confusion about using both so let me try and clear that up now: don't do it unless you have a *really* good reason to do so :) In this case it is all SELinux code so there is no reason why you should be including the "lsm" prefix. You've been pretty responsive, so if you don't mind submitting a v4 with the changes mentioned above, that would be far more preferable to me making the changes. I have some other comments about maintainer fixes to patches, but I'll save that for the other thread :) -- paul moore www.paul-moore.com