[PATCH][capabilities-next] commoncap: move assignment of fs_ns to avoid null pointer dereference

Serge E. Hallyn serge at hallyn.com
Wed Oct 11 20:48:09 UTC 2017 

Hi James,

it doesn't look like this has been picked up yet.  Assuming I'm not looking
in the wrong place, can you pull it into the security tree?

thanks,
-serge

Quoting Serge E. Hallyn (serge at hallyn.com):
> On Mon, Sep 04, 2017 at 06:50:05PM +0100, Colin King wrote:
> > From: Colin Ian King <colin.king at canonical.com>
> > 
> > The pointer fs_ns is assigned from inode->i_ib->s_user_ns before
> > a null pointer check on inode, hence if inode is actually null we
> > will get a null pointer dereference on this assignment. Fix this
> > by only dereferencing inode after the null pointer check on
> > inode.
> > 
> > Detected by CoverityScan CID#1455328 ("Dereference before null check")
> > 
> > Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
> > Signed-off-by: Colin Ian King <colin.king at canonical.com>
> 
> thanks!
> 
> Acked-by: Serge Hallyn <serge at hallyn.com>
> 
> > ---
> >  security/commoncap.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index c25e0d27537f..fc46f5b85251 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -585,13 +585,14 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
> >  	struct vfs_ns_cap_data data, *nscaps = &data;
> >  	struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
> >  	kuid_t rootkuid;
> > -	struct user_namespace *fs_ns = inode->i_sb->s_user_ns;
> > +	struct user_namespace *fs_ns;
> >  
> >  	memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
> >  
> >  	if (!inode)
> >  		return -ENODATA;
> >  
> > +	fs_ns = inode->i_sb->s_user_ns;
> >  	size = __vfs_getxattr((struct dentry *)dentry, inode,
> >  			      XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);
> >  	if (size == -ENODATA || size == -EOPNOTSUPP)
> > -- 
> > 2.14.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list