From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out4-smtp.messagingengine.com ([66.111.4.28]:59871 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751798AbdJXImI (ORCPT ); Tue, 24 Oct 2017 04:42:08 -0400 Subject: FAILED: patch "[PATCH] commoncap: move assignment of fs_ns to avoid null pointer" failed to apply to 4.13-stable tree To: colin.king@canonical.com, james.l.morris@oracle.com, serge@hallyn.com Cc: From: Date: Tue, 24 Oct 2017 09:41:57 +0200 Message-ID: <150883091712759@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: The patch below does not apply to the 4.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >>From 76ba89c76f2c74e208d93a9e7c698e39eeb3b85c Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Mon, 4 Sep 2017 18:50:05 +0100 Subject: [PATCH] commoncap: move assignment of fs_ns to avoid null pointer dereference The pointer fs_ns is assigned from inode->i_ib->s_user_ns before a null pointer check on inode, hence if inode is actually null we will get a null pointer dereference on this assignment. Fix this by only dereferencing inode after the null pointer check on inode. Detected by CoverityScan CID#1455328 ("Dereference before null check") Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") Signed-off-by: Colin Ian King Cc: stable@vger.kernel.org Acked-by: Serge Hallyn Signed-off-by: James Morris diff --git a/security/commoncap.c b/security/commoncap.c index c25e0d27537f..fc46f5b85251 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -585,13 +585,14 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data struct vfs_ns_cap_data data, *nscaps = &data; struct vfs_cap_data *caps = (struct vfs_cap_data *) &data; kuid_t rootkuid; - struct user_namespace *fs_ns = inode->i_sb->s_user_ns; + struct user_namespace *fs_ns; memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); if (!inode) return -ENODATA; + fs_ns = inode->i_sb->s_user_ns; size = __vfs_getxattr((struct dentry *)dentry, inode, XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ); if (size == -ENODATA || size == -EOPNOTSUPP)