From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Yongzhi Liu <lyz_cs@pku.edu.cn>
Cc: serge@hallyn.com, jmorris@namei.org, viro@zeniv.linux.org.uk,
dhowells@redhat.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] commoncap: check return value to avoid null pointer dereference
Date: Mon, 16 May 2022 13:14:03 -0500 [thread overview]
Message-ID: <87y1z1bb10.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <1652722802-66170-1-git-send-email-lyz_cs@pku.edu.cn> (Yongzhi Liu's message of "Mon, 16 May 2022 10:40:02 -0700")
Yongzhi Liu <lyz_cs@pku.edu.cn> writes:
> The pointer inode is dereferenced before a null pointer
> check on inode, hence if inode is actually null we will
> get a null pointer dereference. Fix this by only dereferencing
> inode after the null pointer check on inode.
>
> Fixes: c6f493d631c ("VFS: security/: d_backing_inode() annotations")
> Fixes: 8db6c34 ("Introduce v3 namespaced file capabilities")
I don't see how this fixes anything.
The dentry should be non-negative so d_backing_inode should always
return true.
> Signed-off-by: Yongzhi Liu <lyz_cs@pku.edu.cn>
> ---
> security/commoncap.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 5fc8986..978f011 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -298,6 +298,8 @@ int cap_inode_need_killpriv(struct dentry *dentry)
> struct inode *inode = d_backing_inode(dentry);
> int error;
>
> + if (!inode)
> + return 0;
How can dentry->d_inode be valid and d_backing_inode not be valid?
That would seem to be a bug elsewhere in the code if it actually happens.
> error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
> return error > 0;
> }
> @@ -545,11 +547,13 @@ int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
> const struct vfs_cap_data *cap = *ivalue;
> __u32 magic, nsmagic;
> struct inode *inode = d_backing_inode(dentry);
> - struct user_namespace *task_ns = current_user_ns(),
> - *fs_ns = inode->i_sb->s_user_ns;
> + struct user_namespace *task_ns = current_user_ns(), *fs_ns;
> kuid_t rootid;
> size_t newsize;
>
> + if (!inode)
> + return -EINVAL;
> + fs_ns = inode->i_sb->s_user_ns;
> if (!*ivalue)
> return -EINVAL;
> if (!validheader(size, cap))
Same with this one. Short of a negative dentry I don't see how
d_backing_inode can be NULL, and we are talking about negative
dentries that should have been handled long before these two functions
are called.
Eric
next prev parent reply other threads:[~2022-05-16 18:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 17:40 [PATCH] commoncap: check return value to avoid null pointer dereference Yongzhi Liu
2022-05-16 18:14 ` Eric W. Biederman [this message]
2022-05-17 21:43 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1z1bb10.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lyz_cs@pku.edu.cn \
--cc=serge@hallyn.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.