commoncap: Handle memory allocation failure.

syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when memory allocation failed. Return -ENOMEM if memory allocation failed. [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107Signed-off-by: N Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: 8db6c34f ("Introduce v3 namespaced file capabilities") Reported-by: N syzbot <syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com> Cc: stable <stable@vger.kernel.org> # 4.14+ Acked-by: N Serge E. Hallyn <serge@hallyn.com> Acked-by: N James Morris <james.morris@microsoft.com> Signed-off-by: N Eric W. Biederman <ebiederm@xmission.com>

commoncap: Handle memory allocation failure.
syzbot is reporting NULL pointer dereference at xattr_getsecurity() [1], for cap_inode_getsecurity() is returning sizeof(struct vfs_cap_data) when memory allocation failed. Return -ENOMEM if memory allocation failed. [1] https://syzkaller.appspot.com/bug?id=a55ba438506fe68649a5f50d2d82d56b365e0107Signed-off-by: N Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: 8db6c34f ("Introduce v3 namespaced file capabilities") Reported-by: N syzbot <syzbot+9369930ca44f29e60e2d@syzkaller.appspotmail.com> Cc: stable <stable@vger.kernel.org> # 4.14+ Acked-by: N Serge E. Hallyn <serge@hallyn.com> Acked-by: N James Morris <james.morris@microsoft.com> Signed-off-by: N Eric W. Biederman <ebiederm@xmission.com>
1f578172 · Tetsuo Handa · Eric W. Biederman · 2236d4d3 · 1f578172
显示空白变更内容
内联并排

Showing with 2 addition and 0 deletion

security/commoncap.c security/commoncap.c +2 -0

未找到文件。
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -449,6 +449,8 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
 				magic |= VFS_CAP_FLAGS_EFFECTIVE;
 			memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
 			cap->magic_etc = cpu_to_le32(magic);
+		} else {
+			size = -ENOMEM;
 		}
 	}
 	kfree(tmpbuf);