[LTP] [PATCH] Add listxattr04 reproducer
Andrea Cervesato
andrea.cervesato@suse.de
Thu Jul 3 10:17:56 CEST 2025
From: Andrea Cervesato <andrea.cervesato@suse.com>
Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
simple_xattr_list to always include security.* xattrs").
Bug can be reproduced when SELinux and ACL are activated on inodes as
following:
$ touch testfile
$ setfacl -m u:myuser:rwx testfile
$ getfattr -dm. /tmp/testfile
Segmentation fault (core dumped)
The reason why this happens is that simple_xattr_list() always includes
security.* xattrs without resetting error flag after
security_inode_listsecurity(). This results into an incorrect length of the
returned xattr name if POSIX ACL is also applied on the inode.
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Reproducer for https://lore.kernel.org/linux-fsdevel/m1wm9qund4.fsf@gmail.com/T/
---
testcases/kernel/syscalls/listxattr/.gitignore | 1 +
testcases/kernel/syscalls/listxattr/Makefile | 2 +
testcases/kernel/syscalls/listxattr/listxattr04.c | 110 ++++++++++++++++++++++
3 files changed, 113 insertions(+)
diff --git a/testcases/kernel/syscalls/listxattr/.gitignore b/testcases/kernel/syscalls/listxattr/.gitignore
index be0675a6df0080d176d53d70194442bbc9ed376c..0d672b6ea5eec03aab37ee89316c56e24356c1d9 100644
--- a/testcases/kernel/syscalls/listxattr/.gitignore
+++ b/testcases/kernel/syscalls/listxattr/.gitignore
@@ -1,3 +1,4 @@
/listxattr01
/listxattr02
/listxattr03
+/listxattr04
diff --git a/testcases/kernel/syscalls/listxattr/Makefile b/testcases/kernel/syscalls/listxattr/Makefile
index c2f84b1590fc24a7a98f890ea7706771d944aa79..e96bb3fa4c2c6b14b8d2bc8fd4c475e4789d72fe 100644
--- a/testcases/kernel/syscalls/listxattr/Makefile
+++ b/testcases/kernel/syscalls/listxattr/Makefile
@@ -6,4 +6,6 @@ top_srcdir ?= ../../../..
include $(top_srcdir)/include/mk/testcases.mk
+listxattr04: LDLIBS += $(ACL_LIBS)
+
include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/syscalls/listxattr/listxattr04.c b/testcases/kernel/syscalls/listxattr/listxattr04.c
new file mode 100644
index 0000000000000000000000000000000000000000..11f559094c3dd85da0dd1bd8b0716a478e8cdb0f
--- /dev/null
+++ b/testcases/kernel/syscalls/listxattr/listxattr04.c
@@ -0,0 +1,110 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix
+ * simple_xattr_list to always include security.* xattrs").
+ *
+ * Bug can be reproduced when SELinux and ACL are activated on inodes as
+ * following:
+ *
+ * $ touch testfile
+ * $ setfacl -m u:myuser:rwx testfile
+ * $ getfattr -dm. /tmp/testfile
+ * Segmentation fault (core dumped)
+ *
+ * The reason why this happens is that simple_xattr_list() always includes
+ * security.* xattrs without resetting error flag after
+ * security_inode_listsecurity(). This results into an incorrect length of the
+ * returned xattr name if POSIX ACL is also applied on the inode.
+ */
+
+#include "config.h"
+#include "tst_test.h"
+
+#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LIBACL)
+
+#include <pwd.h>
+#include <sys/acl.h>
+#include <sys/xattr.h>
+
+#define TEST_FILE "test.bin"
+#define ACL_PERM "u::rw-,u:root:rwx,g::r--,o::r--,m::rwx"
+
+static acl_t acl;
+
+static void verify_xattr(const int size)
+{
+ char buf[size];
+
+ memset(buf, 0, sizeof(buf));
+
+ if (listxattr(TEST_FILE, buf, size) == -1) {
+ if (errno != ERANGE)
+ tst_brk(TBROK | TERRNO, "listxattr() error");
+
+ tst_res(TFAIL, "listxattr() failed with ERANGE. "
+ "xattr might be bugged if combining ACL with SELinux on inodes.");
+
+ return;
+ }
+
+ tst_res(TPASS, "listxattr() correctly read attributes length");
+}
+
+static void run(void)
+{
+ int size;
+
+ size = listxattr(TEST_FILE, NULL, 0);
+ if (size == -1)
+ tst_brk(TBROK | TERRNO, "listxattr() error");
+
+ verify_xattr(size);
+}
+
+static void setup(void)
+{
+ int res;
+
+ if (!tst_selinux_enforcing())
+ tst_brk(TCONF, "SELinux is not enabled with enforcing");
+
+ SAFE_TOUCH(TEST_FILE, 0644, NULL);
+
+ acl = acl_from_text(ACL_PERM);
+ if (!acl)
+ tst_brk(TBROK | TERRNO, "acl_from_text() failed");
+
+ res = acl_set_file(TEST_FILE, ACL_TYPE_ACCESS, acl);
+ if (res == -1) {
+ if (errno == EOPNOTSUPP)
+ tst_brk(TCONF | TERRNO, "acl_set_file()");
+
+ tst_brk(TBROK | TERRNO, "acl_set_file(%s) failed", TEST_FILE);
+ }
+}
+
+static void cleanup(void)
+{
+ if (acl)
+ acl_free(acl);
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .needs_root = 1,
+ .needs_tmpdir = 1,
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "800d0b9b6a8b"},
+ {}
+ }
+};
+
+#else /* HAVE_SYS_XATTR_H && HAVE_LIBACL */
+ TST_TEST_TCONF("<sys/xattr.h> or <sys/acl.h> does not exist.");
+#endif
---
base-commit: a908cff70f9389c2dd2bf535976cb179bfa8f340
change-id: 20250702-xattr_bug_repr-5873b84792fb
Best regards,
--
Andrea Cervesato <andrea.cervesato@suse.com>
More information about the ltp
mailing list