Bug 57791
Summary: | NULL pointer dereference bug after upgrading to systemd-203 | ||
---|---|---|---|
Product: | Other | Reporter: | Ivan Bulatovic (combuster) |
Component: | Other | Assignee: | Casey Schaufler (casey) |
Status: | RESOLVED PATCH_ALREADY_AVAILABLE | ||
Severity: | normal | CC: | casey |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 3.9.0 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: |
linux-3.9.0 kernel config
Image of the panic |
Description
Ivan Bulatovic
2013-05-08 14:32:01 UTC
Created attachment 100981 [details]
Image of the panic
This appears to have crept in with the cgroups xattr support. It looks as if the dentry may not be complete when passed to Smack. __d_xattr() references dentry->d_inode->i_mode, however d_inode is not set when d_instantiate() is called. When Smack goes looking to see if there are attributes associated with the dentry we get a NULL pointer reference. SELinux does not see this problem because cgroups are mounted without xattr based labeling enabled. The quick and dirty fix is to add a check: if (dp->d_inode == NULL) return NULL; prior to the buffer allocation in smk_fetch() in security/smack/smack_lsm.c This won't solve the problem for SELinux with xattr based labeling enabled, but I suspect that if they wanted to run in that mode they's already be doing so. This patch seems to fix the problem. It was tested by Ivan Bulatovic. I would prefer that the cgroup xattr code get fixed so that it initializes the dentry prior to calling d_instantiate, but this should do for now. --- security/smack/smack_lsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d52c780..2ceafae 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -59,7 +59,8 @@ static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp) char *buffer; char *result = NULL; - if (ip->i_op->getxattr == NULL) + if (ip->i_op->getxattr == NULL || dp->d_inode == NULL || + dp->d_fsdata == NULL) return NULL; buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); Do not use the patch above. The commit: cgroup: initialize xattr before calling d_instantiate() d6cbf35dac8a3dadb9103379820c96d7c85df3d9 fixes the real problem. |