Received: by 10.213.65.68 with SMTP id h4csp3697473imn; Tue, 10 Apr 2018 03:18:25 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+hi2eM0KX0+SIInKi22jCBRVrFgbH7EQEeX6pf9w3wWHc44q/kjfVy5juzIbzO+L276HnR X-Received: by 10.99.158.81 with SMTP id r17mr28242877pgo.348.1523355505358; Tue, 10 Apr 2018 03:18:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523355505; cv=none; d=google.com; s=arc-20160816; b=Ld1lBB8QHYVbxoPWdrCmsYgV7v/fTYdwQihCOM6VsBbalp5V8boFENCUQf1CAf+NWw CMwAaf8dP8KdVOTQFycvPeOcQiFBeA/B3fiu8Ac+IGwUhL/7J8Jb1fLT6fEHlbFZj+MQ QG/R4SmZTLqfu4EqmQYx1O9l6aCIBsnEUfWRUHgToVXzIKD7EZAm5q1xBTsaMg60uDGL 8di032Q5LG1msNs5ZAM5UNeKmjC8BioE0KCYg/o+5402XRm7C9PRDEldQMpXKg3sp5Iz uGOd2G44NEeb/OMGvXXo5yRimBdR5ThdjFBnQe3nMj6XbNPpL7lF99A+YFfT/MWB/T3o LpOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:cc:references:to:subject:arc-authentication-results; bh=a0W+w/RWKdNgSHbmvvWrZXjh3YpP9wnLt7IavpkCd58=; b=t1XqHsl3Q0SPANFicEZG2gqp9lP+oGPz1UWVm+/M6W5TcIk7dBDfzBMnKbpAvVJSUu L2LN0ScsaoRdEIaFuDoBJtxPQrgS7CAYuifaPlXDcCEN7Q5K0Br/7cZDA17V6fEQCY5z jUelnBI5UXJ5C7zwO/PY/v1/OWVYIOSwAvmVVJ4hbTxr2mxTQxTBkOC+BQxHqotg1+3J SN49HRZKAaardTMClxETdSQIm8ODjx/H8IGzYJS8958MqeEdtNOAbdjjD+Jyk3+nnU+7 D2SCtE6HGkNd8yrxdy97l3eWKsbB9JGXmJSZoMNoOYKV7edzAqacFa0tEArRoIqQxaYg NXfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a22si1569708pgd.825.2018.04.10.03.17.47; Tue, 10 Apr 2018 03:18:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752586AbeDJKNe (ORCPT + 99 others); Tue, 10 Apr 2018 06:13:34 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:22587 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752057AbeDJKNd (ORCPT ); Tue, 10 Apr 2018 06:13:33 -0400 Received: from fsav303.sakura.ne.jp (fsav303.sakura.ne.jp [153.120.85.134]) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w3AADV3w010434; Tue, 10 Apr 2018 19:13:31 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav303.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav303.sakura.ne.jp); Tue, 10 Apr 2018 19:13:31 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav303.sakura.ne.jp) Received: from [192.168.1.8] (softbank126099184120.bbtec.net [126.99.184.120]) (authenticated bits=0) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w3AADQVL010318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Apr 2018 19:13:31 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Subject: Re: KASAN: null-ptr-deref Read in xattr_getsecurity To: syzbot , "Serge E. Hallyn" , "Eric W. Biederman" References: <0000000000008d2e0d05697a693d@google.com> Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk From: Tetsuo Handa Message-ID: <9d192497-8b1e-ca8d-0ed8-b3324ee1e361@I-love.SAKURA.ne.jp> Date: Tue, 10 Apr 2018 19:13:23 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <0000000000008d2e0d05697a693d@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From 904d07a6eb014f3df0c5a1ebfcfd4323276a9a76 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Tue, 10 Apr 2018 15:15:16 +0900 Subject: [PATCH] commoncap: Handle memory allocation failure. syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when memory allocation failed. Return -ENOMEM if memory allocation failed. [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107 Signed-off-by: Tetsuo Handa Fixes: 8db6c34f1dbc8e06 ("Introduce v3 namespaced file capabilities") Reported-by: syzbot Cc: stable # 4.14+ Cc: Serge E. Hallyn Cc: Eric W. Biederman --- security/commoncap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/commoncap.c b/security/commoncap.c index 48620c9..1ce701f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, magic |= VFS_CAP_FLAGS_EFFECTIVE; memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); cap->magic_etc = cpu_to_le32(magic); + } else { + size = -ENOMEM; } } kfree(tmpbuf); -- 1.8.3.1