Re: [PATCH] EVM: Fix null dereference on xattr when xattr fails to allocate

[Dan Carpenter]

Not really related to this patch except I was looking at the function:

security/integrity/evm/evm_secfs.c
   191          ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR);
   192          if (IS_ERR(ab))
   193                  return PTR_ERR(ab);
   194  
   195          xattr = kmalloc(sizeof(struct xattr_list), GFP_KERNEL);
   196          if (!xattr) {
   197                  err = -ENOMEM;
   198                  goto out;
   199          }
   200  
   201          xattr->name = memdup_user_nul(buf, count);
   202          if (IS_ERR(xattr->name)) {
   203                  err = PTR_ERR(xattr->name);
   204                  xattr->name = NULL;
   205                  goto out;
   206          }
   207  
   208          /* Remove any trailing newline */
   209          len = strlen(xattr->name);
   210          if (xattr->name[len-1] == '\n')

strlen() could be zero, leading to a read underflow here.

   211                  xattr->name[len-1] = '\0';
   212  
   213          if (strcmp(xattr->name, ".") == 0) {
   214                  evm_xattrs_locked = 1;
   215                  newattrs.ia_mode = S_IFREG | 0440;
   216                  newattrs.ia_valid = ATTR_MODE;
   217                  inode = evm_xattrs->d_inode;
   218                  inode_lock(inode);
   219                  err = simple_setattr(evm_xattrs, &newattrs);
   220                  inode_unlock(inode);
   221                  audit_log_format(ab, "locked");
   222                  if (!err)
   223                          err = count;
   224                  goto out;
   225          }

regards,
dan carpenter