From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758033AbdJKUsO (ORCPT ); Wed, 11 Oct 2017 16:48:14 -0400 Received: from h2.hallyn.com ([78.46.35.8]:50088 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751386AbdJKUsL (ORCPT ); Wed, 11 Oct 2017 16:48:11 -0400 Date: Wed, 11 Oct 2017 15:48:09 -0500 From: "Serge E. Hallyn" To: "Serge E. Hallyn" Cc: Colin King , James Morris , linux-security-module@vger.kernel.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][capabilities-next] commoncap: move assignment of fs_ns to avoid null pointer dereference Message-ID: <20171011204809.GD8207@mail.hallyn.com> References: <20170904175005.29871-1-colin.king@canonical.com> <20170904185339.GA11576@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170904185339.GA11576@mail.hallyn.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi James, it doesn't look like this has been picked up yet. Assuming I'm not looking in the wrong place, can you pull it into the security tree? thanks, -serge Quoting Serge E. Hallyn (serge@hallyn.com): > On Mon, Sep 04, 2017 at 06:50:05PM +0100, Colin King wrote: > > From: Colin Ian King > > > > The pointer fs_ns is assigned from inode->i_ib->s_user_ns before > > a null pointer check on inode, hence if inode is actually null we > > will get a null pointer dereference on this assignment. Fix this > > by only dereferencing inode after the null pointer check on > > inode. > > > > Detected by CoverityScan CID#1455328 ("Dereference before null check") > > > > Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") > > Signed-off-by: Colin Ian King > > thanks! > > Acked-by: Serge Hallyn > > > --- > > security/commoncap.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/security/commoncap.c b/security/commoncap.c > > index c25e0d27537f..fc46f5b85251 100644 > > --- a/security/commoncap.c > > +++ b/security/commoncap.c > > @@ -585,13 +585,14 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data > > struct vfs_ns_cap_data data, *nscaps = &data; > > struct vfs_cap_data *caps = (struct vfs_cap_data *) &data; > > kuid_t rootkuid; > > - struct user_namespace *fs_ns = inode->i_sb->s_user_ns; > > + struct user_namespace *fs_ns; > > > > memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); > > > > if (!inode) > > return -ENODATA; > > > > + fs_ns = inode->i_sb->s_user_ns; > > size = __vfs_getxattr((struct dentry *)dentry, inode, > > XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ); > > if (size == -ENODATA || size == -EOPNOTSUPP) > > -- > > 2.14.1