Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3282108iob; Mon, 16 May 2022 18:03:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYBm9378e2U0OyCNxHrf+NHGB+/3UKVvQv7xoBvNoojqftL/GWib2HErCtcbloKQV122Sq X-Received: by 2002:a17:906:b053:b0:6fd:d8d5:5cac with SMTP id bj19-20020a170906b05300b006fdd8d55cacmr17538795ejb.370.1652749424188; Mon, 16 May 2022 18:03:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652749424; cv=none; d=google.com; s=arc-20160816; b=n5s/TvAxSvSFY8QO5BesBTaZehZhTS6v/Za8o6dVy8/fvrqlT55cJi4RUjABdf6A9a K6SCZUlNodk4gNWHWc91sdCI+teOdgaHXhn4SjrV3tw7tKD/qffgfc6EUTrWKe/4vrAw GuIP/DAcX+igl/lhJQRIwtphRfmSNz1wOi6zjiYojzeCbJpDAyYqFj26mFcn/XTgqdFE 31c/yE+2mBMRqOuZuZIqGuHDVR8St/msTvnR4qahCfK4k4dPRLnxMQhy5TZ01wqwc0iP 1K6QD5BUwbmCexpcLZ0/UMUxCXpokWh5Gqq5WzJWQaFx6b0e1ieRpIPxt09F/t1caYMv 42Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:mime-version:user-agent:message-id :in-reply-to:date:references:cc:to:from; bh=DuEfybuuQrZXMHC9Z9OFjV/jLLrquWOCdjeQfrF3sFw=; b=UJbhjkbm1yQPVg+sdW8OcTK74kNx8137FKmvtTg1Ui5D3w9A7QJ3Dggw3dVTDMgobK ckm3N7n+6QGxjNX+gIO4zblqrIoxUmqpoZEz3WErw9UUsoaJoMDTTuvt+UyBIeq8Gn43 3NLAEj1+XHzuWelWkLx/+nZ43lioN1qxuOXR+jbtZ7DDS+UHh3cIDlDDbvLKilSrNxzh cOZfG8jzx+p/Y5PI6+s7Uyx3jbEQuidOjnoYVl1U0zTJpVo8IKn5mUxDopyBqLbFQhIf JFGkRUsEFZJbBktC6MLH+VDOfVYl+M7V36oyQHqB7MRHB9FdH8SsXyTGveNooxkcFl+V 8ALA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v15-20020a17090606cf00b006e8ab12f927si1176140ejb.124.2022.05.16.18.03.18; Mon, 16 May 2022 18:03:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344630AbiEPSOr (ORCPT + 99 others); Mon, 16 May 2022 14:14:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344792AbiEPSOi (ORCPT ); Mon, 16 May 2022 14:14:38 -0400 Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3D2B3DA65; Mon, 16 May 2022 11:14:36 -0700 (PDT) Received: from in01.mta.xmission.com ([166.70.13.51]:35888) by out01.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nqfEo-00DVWz-9p; Mon, 16 May 2022 12:14:34 -0600 Received: from ip68-227-174-4.om.om.cox.net ([68.227.174.4]:38392 helo=email.froward.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nqfEl-007IPY-AV; Mon, 16 May 2022 12:14:33 -0600 From: "Eric W. Biederman" To: Yongzhi Liu Cc: serge@hallyn.com, jmorris@namei.org, viro@zeniv.linux.org.uk, dhowells@redhat.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: <1652722802-66170-1-git-send-email-lyz_cs@pku.edu.cn> Date: Mon, 16 May 2022 13:14:03 -0500 In-Reply-To: <1652722802-66170-1-git-send-email-lyz_cs@pku.edu.cn> (Yongzhi Liu's message of "Mon, 16 May 2022 10:40:02 -0700") Message-ID: <87y1z1bb10.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1nqfEl-007IPY-AV;;;mid=<87y1z1bb10.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.174.4;;;frm=ebiederm@xmission.com;;;spf=softfail X-XM-AID: U2FsdGVkX1/qAznHaVwLGdxqAtm8rl5W3J7vvA4ZFdM= X-SA-Exim-Connect-IP: 68.227.174.4 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ****;Yongzhi Liu X-Spam-Relay-Country: X-Spam-Timing: total 2390 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 13 (0.6%), b_tie_ro: 11 (0.5%), parse: 1.89 (0.1%), extract_message_metadata: 18 (0.8%), get_uri_detail_list: 2.3 (0.1%), tests_pri_-1000: 8 (0.3%), tests_pri_-950: 1.67 (0.1%), tests_pri_-900: 1.37 (0.1%), tests_pri_-90: 79 (3.3%), check_bayes: 76 (3.2%), b_tokenize: 12 (0.5%), b_tok_get_all: 8 (0.3%), b_comp_prob: 3.6 (0.1%), b_tok_touch_all: 49 (2.0%), b_finish: 1.20 (0.1%), tests_pri_0: 248 (10.4%), check_dkim_signature: 0.81 (0.0%), check_dkim_adsp: 3.8 (0.2%), poll_dns_idle: 1988 (83.2%), tests_pri_10: 2.0 (0.1%), tests_pri_500: 2012 (84.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] commoncap: check return value to avoid null pointer dereference X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Yongzhi Liu writes: > The pointer inode is dereferenced before a null pointer > check on inode, hence if inode is actually null we will > get a null pointer dereference. Fix this by only dereferencing > inode after the null pointer check on inode. > > Fixes: c6f493d631c ("VFS: security/: d_backing_inode() annotations") > Fixes: 8db6c34 ("Introduce v3 namespaced file capabilities") I don't see how this fixes anything. The dentry should be non-negative so d_backing_inode should always return true. > Signed-off-by: Yongzhi Liu > --- > security/commoncap.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 5fc8986..978f011 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -298,6 +298,8 @@ int cap_inode_need_killpriv(struct dentry *dentry) > struct inode *inode = d_backing_inode(dentry); > int error; > > + if (!inode) > + return 0; How can dentry->d_inode be valid and d_backing_inode not be valid? That would seem to be a bug elsewhere in the code if it actually happens. > error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0); > return error > 0; > } > @@ -545,11 +547,13 @@ int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry, > const struct vfs_cap_data *cap = *ivalue; > __u32 magic, nsmagic; > struct inode *inode = d_backing_inode(dentry); > - struct user_namespace *task_ns = current_user_ns(), > - *fs_ns = inode->i_sb->s_user_ns; > + struct user_namespace *task_ns = current_user_ns(), *fs_ns; > kuid_t rootid; > size_t newsize; > > + if (!inode) > + return -EINVAL; > + fs_ns = inode->i_sb->s_user_ns; > if (!*ivalue) > return -EINVAL; > if (!validheader(size, cap)) Same with this one. Short of a negative dentry I don't see how d_backing_inode can be NULL, and we are talking about negative dentries that should have been handled long before these two functions are called. Eric