[Bug 2115447] Re: Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

Massimiliano Pellizzer Tue, 01 Jul 2025 07:55:46 -0700

Thanks for providing detailed info.

After debugging I can confirm that the NULL pointer dereference is
caused by the following code in selinux_dentry_init_security():


return security_sid_to_context(newsid, (char **)cp->context,
                                       &cp->len);

The signature of the function security_sid_to_context() is the following
one:

int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)

It is possible to notice that it expects a double char pointer, but
selinux_dentry_init_security is passing a single one (cp->context).

This can be solved by applying the following patch:

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 35e763fa6aa52..98eacf8ce4a39 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2909,8 +2909,7 @@ static int selinux_dentry_init_security(struct dentry 
*dentry, int mode,
                *xattr_name = XATTR_NAME_SELINUX;
 
        cp->id = LSM_ID_SELINUX;
-       return security_sid_to_context(newsid, (char **)cp->context,
-                                      &cp->len);
+       return security_sid_to_context(newsid, &cp->context, &cp->len);
 }
 
 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,

However, after solving the NULL ptr deref, I am facing a new bug: every
time I write on a ceph storage I get the following:

...
[  100.352279] ceph: [b999c973-e962-4fd6-ba06-c83b2f6f679c 24126]: mds0 
reconnect start
[  100.353931] ceph: [b999c973-e962-4fd6-ba06-c83b2f6f679c 24126]: mds0 
reconnect success
[  102.440164] ceph: [b999c973-e962-4fd6-ba06-c83b2f6f679c 24126]: mds0 
recovery completed
[  102.593905] libceph: mds0 (1)192.168.8.133:6801 socket closed (con state 
OPEN)
[  103.039016] libceph: mds0 (1)192.168.8.133:6801 socket error on write
[  103.295025] libceph: mds0 (1)192.168.8.133:6801 socket error on write
[  103.798653] libceph: mds0 (1)192.168.8.133:6801 socket error on write
[  105.070530] ceph: [b999c973-e962-4fd6-ba06-c83b2f6f679c 24126]: mds0 
reconnect start
[  105.071884] ceph: [b999c973-e962-4fd6-ba06-c83b2f6f679c 24126]: mds0 
reconnect success
[  107.183395] ceph: [b999c973-e962-4fd6-ba06-c83b2f6f679c 24126]: mds0 
recovery completed
[  107.360695] libceph: mds0 (1)192.168.8.133:6801 socket closed (con state 
OPEN)
[  108.030861] libceph: mds0 (1)192.168.8.133:6801 socket error on write
[  108.286839] libceph: mds0 (1)192.168.8.133:6801 socket error on write
...

This new issue requires more debugging

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115447

Title:
  Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2115447/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2115447] Re: Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

Reply via email to