All of lore.kernel.org
 help / color / mirror / Atom feed
From: Yongzhi Liu <lyz_cs@pku.edu.cn>
To: serge@hallyn.com, jmorris@namei.org, viro@zeniv.linux.org.uk,
	dhowells@redhat.com, ebiederm@xmission.com
Cc: linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, Yongzhi Liu <lyz_cs@pku.edu.cn>
Subject: [PATCH] commoncap: check return value to avoid null pointer dereference
Date: Mon, 16 May 2022 10:40:02 -0700	[thread overview]
Message-ID: <1652722802-66170-1-git-send-email-lyz_cs@pku.edu.cn> (raw)

The pointer inode is dereferenced before a null pointer
check on inode, hence if inode is actually null we will
get a null pointer dereference. Fix this by only dereferencing
inode after the null pointer check on inode.

Fixes: c6f493d631c ("VFS: security/: d_backing_inode() annotations")
Fixes: 8db6c34 ("Introduce v3 namespaced file capabilities")

Signed-off-by: Yongzhi Liu <lyz_cs@pku.edu.cn>
---
 security/commoncap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 5fc8986..978f011 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -298,6 +298,8 @@ int cap_inode_need_killpriv(struct dentry *dentry)
 	struct inode *inode = d_backing_inode(dentry);
 	int error;
 
+	if (!inode)
+		return 0;
 	error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
 	return error > 0;
 }
@@ -545,11 +547,13 @@ int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
 	const struct vfs_cap_data *cap = *ivalue;
 	__u32 magic, nsmagic;
 	struct inode *inode = d_backing_inode(dentry);
-	struct user_namespace *task_ns = current_user_ns(),
-		*fs_ns = inode->i_sb->s_user_ns;
+	struct user_namespace *task_ns = current_user_ns(), *fs_ns;
 	kuid_t rootid;
 	size_t newsize;
 
+	if (!inode)
+		return -EINVAL;
+	fs_ns = inode->i_sb->s_user_ns;
 	if (!*ivalue)
 		return -EINVAL;
 	if (!validheader(size, cap))
-- 
2.7.4


             reply	other threads:[~2022-05-16 17:42 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-16 17:40 Yongzhi Liu [this message]
2022-05-16 18:14 ` Eric W. Biederman
2022-05-17 21:43 ` Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1652722802-66170-1-git-send-email-lyz_cs@pku.edu.cn \
    --to=lyz_cs@pku.edu.cn \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=viro@zeniv.linux.org.uk \
    --subject='Re: [PATCH] commoncap: check return value to avoid null pointer dereference' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.