[Kernel-packages] [Bug 2120561] Re: Fix compilation failure because of incomplete backport

[Magali Lemes do Sacramento]

** Changed in: linux (Ubuntu Noble)
       Status: Confirmed => In Progress

** Description changed:

- Below code is failing while compiling with clang: 
+ SRU Justification
+ 
+ [Impact]
+ In ctnetlink_secctx_size() from net/netfilter/nf_conntrack_netlink.c,
+ `len` is used uninitialized, triggering the following warning when
+ compiling with Clang:
+ 
+ net/netfilter/nf_conntrack_netlink.c:674:41: warning: variable 'len' is 
uninitialized when used here [-Wuninitialized]
+     674 |                + nla_total_size(sizeof(char) * len); /* 
CTA_SECCTX_NAME */
+         |                                                ^~~
+ net/netfilter/nf_conntrack_netlink.c:667:9: note: initialize the variable 
'len' to silence this warning
+     667 |         int len, ret;
+         |                ^
+         |                 = 0
+ 
+ [Fix]
+ Match mainline commit 2d470c778120 ("lsm: replace context+len with 
lsm_context").
+ 
+ [Test Plan]
+ Compile with Clang, check the warning is gone and no other warning has been 
triggered.
+ 
+ [Where problems could occur]
+ This patch touches bits of the netlink interface for nf_conntrack. However,
+ it addresses a clear mistake in the current implementation, so no issues
+ should be introduced.
+ 
+ 
+ ---------------------------- Original bug report ----------------------------
+ 
+ Below code is failing while compiling with clang:
  static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
  {
  #ifdef CONFIG_NF_CONNTRACK_SECMARK
-         int len, ret;
-             ^^^ <-- len is not initialized before use
+         int len, ret;
+             ^^^ <-- len is not initialized before use
  
-         ret = security_secid_to_secctx(ct->secmark, NULL);
-         if (ret < 0)
-                 return 0;
+         ret = security_secid_to_secctx(ct->secmark, NULL);
+         if (ret < 0)
+                 return 0;
  
-         return nla_total_size(0) /* CTA_SECCTX */
-                + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
-                                                ^^^ <-- len has not been 
initialized
+         return nla_total_size(0) /* CTA_SECCTX */
+                + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
+                                                ^^^ <-- len has not been 
initialized
  #else
-         return 0;
+         return 0;
  #endif
  }
  
  Looking into git history I realized that there an incomplete commit of
  2d470c778120d3cdb8d8ab250329ca85f49f12b1 (lsm: replace context+len with
  lsm_context) causing it:
  
  commit c45f92d3c95e9a242c0b22e2f7f24e4f319391dd
  Author: Casey Schaufler <ca...@schaufler-ca.com>
  Date:   Tue Dec 12 14:21:57 2023 -0800
  
-     UBUNTU: SAUCE: apparmor4.0.0 [17/90]: LSM stacking v39: LSM: Use
+     UBUNTU: SAUCE: apparmor4.0.0 [17/90]: LSM stacking v39: LSM: Use
  lsmcontext in security_secid_to_secctx
  
-     BugLink: http://bugs.launchpad.net/bugs/2028253
+     BugLink: http://bugs.launchpad.net/bugs/2028253

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2120561

Title:
  Fix compilation failure because of incomplete backport

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Noble:
  In Progress

Bug description:
  SRU Justification

  [Impact]
  In ctnetlink_secctx_size() from net/netfilter/nf_conntrack_netlink.c,
  `len` is used uninitialized, triggering the following warning when
  compiling with Clang:

  net/netfilter/nf_conntrack_netlink.c:674:41: warning: variable 'len' is 
uninitialized when used here [-Wuninitialized]
      674 |                + nla_total_size(sizeof(char) * len); /* 
CTA_SECCTX_NAME */
          |                                                ^~~
  net/netfilter/nf_conntrack_netlink.c:667:9: note: initialize the variable 
'len' to silence this warning
      667 |         int len, ret;
          |                ^
          |                 = 0

  [Fix]
  Match mainline commit 2d470c778120 ("lsm: replace context+len with 
lsm_context").

  [Test Plan]
  Compile with Clang, check the warning is gone and no other warning has been 
triggered.

  [Where problems could occur]
  This patch touches bits of the netlink interface for nf_conntrack. However,
  it addresses a clear mistake in the current implementation, so no issues
  should be introduced.

  
  ---------------------------- Original bug report ----------------------------

  Below code is failing while compiling with clang:
  static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
  {
  #ifdef CONFIG_NF_CONNTRACK_SECMARK
          int len, ret;
              ^^^ <-- len is not initialized before use

          ret = security_secid_to_secctx(ct->secmark, NULL);
          if (ret < 0)
                  return 0;

          return nla_total_size(0) /* CTA_SECCTX */
                 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
                                                 ^^^ <-- len has not been 
initialized
  #else
          return 0;
  #endif
  }

  Looking into git history I realized that there an incomplete commit of
  2d470c778120d3cdb8d8ab250329ca85f49f12b1 (lsm: replace context+len
  with lsm_context) causing it:

  commit c45f92d3c95e9a242c0b22e2f7f24e4f319391dd
  Author: Casey Schaufler <ca...@schaufler-ca.com>
  Date:   Tue Dec 12 14:21:57 2023 -0800

      UBUNTU: SAUCE: apparmor4.0.0 [17/90]: LSM stacking v39: LSM: Use
  lsmcontext in security_secid_to_secctx

      BugLink: http://bugs.launchpad.net/bugs/2028253

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2120561/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp