Hi Navid, Not sure if you meant to cc secalert@xxxxxxxxxx on this. If anything is needed from our side please let us know! On Wed Oct 16 22:17:42 2019, navid.emamdoost@xxxxxxxxx wrote: > Hi Michal, please check v3 at > https://lore.kernel.org/patchwork/patch/1126650/ > > > Thanks, > Navid. > > On Tue, Sep 10, 2019 at 6:35 AM Michal Kubecek <mkubecek@xxxxxxx> > wrote: > > > > (Just stumbled upon this patch when link to it came with a CVE bug > report.) > > > > On Mon, Jul 29, 2019 at 11:42:26AM -0500, Navid Emamdoost wrote: > > > nla_nest_start may fail and return NULL. The check is inserted, > and > > > errno is selected based on other call sites within the same source > code. > > > Update: removed extra new line. > > > > > > Signed-off-by: Navid Emamdoost <navid.emamdoost@xxxxxxxxx> > > > Reviewed-by: Bob Liu <bob.liu@xxxxxxxxxx> > > > --- > > > drivers/block/nbd.c | 5 +++++ > > > 1 file changed, 5 insertions(+) > > > > > > diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c > > > index 9bcde2325893..2410812d1e82 100644 > > > --- a/drivers/block/nbd.c > > > +++ b/drivers/block/nbd.c > > > @@ -2149,6 +2149,11 @@ static int nbd_genl_status(struct sk_buff > *skb, struct genl_info *info) > > > } > > > > > > dev_list = nla_nest_start_noflag(reply, > NBD_ATTR_DEVICE_LIST); > > > + if (!dev_list) { > > > + ret = -EMSGSIZE; > > > + goto out; > > > + } > > > + > > > if (index == -1) { > > > ret = idr_for_each(&nbd_index_idr, &status_cb, > reply); > > > if (ret) { > > > > You should also call nlmsg_free(reply) when you bail out so that you > > don't introduce a memory leak. > > > > Michal Kubecek > > > -- Kat Bost Red Hat Product Security
