[SRU][N][PATCH 1/1] UBUNTU: SAUCE: fs/ceph, selinux: fix NULL pointer dereference on CephFS write with SELinux in permissive mode

Fri Jul 18 08:47:43 UTC 2025

BugLink: https://bugs.launchpad.net/bugs/2115447

A NULL pointer dereference occurs in the Ceph kernel client (CephFS)
when a file is created on a mounted CephFS volume while SELinux is
enabled in permissive mode.

[ 86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d
[ 86.679238] #PF: supervisor read access in kernel mode
[ 86.679859] #PF: error_code(0x0000) - not-present page
[ 86.680445] PGD 0 P4D 0
[ 86.681021] Oops: 0000 [#1] PREEMPT SMP PTI
[ 86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic #65-Ubuntu
[ 86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 86.682716] RIP: 0010:memcpy_orig+0x54/0x130
[ 86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
[ 86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283
[ 86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 0000000000000000
[ 86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: ffff9aeb6123a02d
[ 86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 0000000000000000
[ 86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000025
[ 86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: ffffa79300b2f8e4
[ 86.687888] FS: 0000724d07b47740(0000) GS:ffff9aec77c00000(0000) knlGS:0000000000000000
[ 86.688416] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 00000000001706f0
[ 86.689541] Call Trace:
[ 86.690124] <TASK>
[ 86.690704] ? show_regs+0x6d/0x80
[ 86.691256] ? __die+0x24/0x80
[ 86.691807] ? page_fault_oops+0x99/0x1b0
[ 86.692426] ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
[ 86.692991] ? __bad_area_nosemaphore+0x19e/0x2c0
[ 86.693563] ? find_vma+0x34/0x60
[ 86.694214] ? bad_area_nosemaphore+0x16/0x30
[ 86.694835] ? do_user_addr_fault+0x29d/0x670
[ 86.695439] ? exc_page_fault+0x83/0x1b0
[ 86.696024] ? asm_exc_page_fault+0x27/0x30
[ 86.696614] ? memcpy_orig+0x54/0x130
[ 86.697202] ? ceph_pagelist_append+0x124/0x150 [libceph]
[ 86.697995] ceph_security_init_secctx+0xce/0x1f0 [ceph]
[ 86.698733] ceph_new_inode+0x80/0xe0 [ceph]
[ 86.699484] ceph_atomic_open+0x3b2/0x9d0 [ceph]
[ 86.700239] ? may_create+0x141/0x150
[ 86.700903] lookup_open.isra.0+0x3a9/0x570
[ 86.701534] open_last_lookups+0x14f/0x400
[ 86.702196] path_openat+0x99/0x2d0
[ 86.702815] do_filp_open+0xaf/0x170
[ 86.703475] do_sys_openat2+0xb3/0xe0
[ 86.704098] __x64_sys_openat+0x55/0xa0
[ 86.704804] x64_sys_call+0x1eb1/0x25a0
[ 86.705437] do_syscall_64+0x7f/0x180
[ 86.706120] ? filemap_map_pages+0x2fe/0x4c0
[ 86.706792] ? __lruvec_stat_mod_folio+0x70/0xc0
[ 86.707444] ? do_read_fault+0x112/0x200
[ 86.708157] ? do_fault+0xf0/0x260
[ 86.708850] ? handle_pte_fault+0x114/0x1d0
[ 86.709519] ? __handle_mm_fault+0x654/0x800
[ 86.710216] ? __count_memcg_events+0x6b/0x120
[ 86.710884] ? count_memcg_events.constprop.0+0x2a/0x50
[ 86.711505] ? handle_mm_fault+0xad/0x380
[ 86.712136] ? do_user_addr_fault+0x334/0x670
[ 86.712778] ? irqentry_exit_to_user_mode+0x7b/0x260
[ 86.713433] ? irqentry_exit+0x43/0x50
[ 86.714111] ? clear_bhb_loop+0x15/0x70
[ 86.714777] ? clear_bhb_loop+0x15/0x70
[ 86.715330] ? clear_bhb_loop+0x15/0x70
[ 86.715844] entry_SYSCALL_64_after_hwframe+0x78/0x80
[ 86.716378] RIP: 0033:0x724d0791b175
[ 86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28
[ 86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 0000724d0791b175
[ 86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 00000000ffffff9c
[ 86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 0000000000000000
[ 86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 00007ffd9c153635
[ 86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 0000000000000001
[ 86.721596] </TASK>

This patch solves the issue by fixing the initialization of the LSM
security context and ensuring that Ceph's pagelist correctly encodes the
full xattr structure. In particular:
- In the SELinux hook selinux_dentry_init_security(), a faulty cast when
  assigning the context pointer is removed, allowing the LSM to populate
  the context buffer correctly, avoinding the NULL pointer dereference
- In ceph_security_init_secctx(), the missing encoding of the xattr name
  and it's length is added to the pagelist

Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>
---
 fs/ceph/xattr.c          | 2 ++
 security/selinux/hooks.c | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 4c767a20ac4c..29998982e456 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1428,6 +1428,8 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 		as_ctx->pagelist = pagelist;
 	}
 
+	ceph_pagelist_encode_32(pagelist, name_len);
+	ceph_pagelist_append(pagelist, name, name_len);
 	ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
 	ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
 			     as_ctx->lsmctx.len);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 35e763fa6aa5..98eacf8ce4a3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2909,8 +2909,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
 		*xattr_name = XATTR_NAME_SELINUX;
 
 	cp->id = LSM_ID_SELINUX;
-	return security_sid_to_context(newsid, (char **)cp->context,
-				       &cp->len);
+	return security_sid_to_context(newsid, &cp->context, &cp->len);
 }
 
 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
-- 
2.48.1


