Re: [PATCH v2] fs: fs_parser: avoid NULL param->string to kstrtouint

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[trimmed Cc list a bit]

On Thu, Aug 15, 2019 at 07:46:56PM -0700, Eric Biggers wrote:
> On Sat, Jul 20, 2019 at 07:29:49AM +0800, Yin Fengwei wrote:
> > syzbot reported general protection fault in kstrtouint:
> > https://lkml.org/lkml/2019/7/18/328
> > 
> > From the log, if the mount option is something like:
> >    fd,XXXXXXXXXXXXXXXXXXXX
> > 
> > The default parameter (which has NULL param->string) will be
> > passed to vfs_parse_fs_param. Finally, this NULL param->string
> > is passed to kstrtouint and trigger NULL pointer access.
> > 
> > Reported-by: syzbot+398343b7c1b1b989228d@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
> > 
> > Signed-off-by: Yin Fengwei <nh26223.lmm@xxxxxxxxx>
> > ---
> > ChangeLog:
> >  v1 -> v2:
> >    - Fix typo in v1
> >    - Remove braces {} from single statement blocks
> > 
> >  fs/fs_parser.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> > index 83b66c9e9a24..7498a44f18c0 100644
> > --- a/fs/fs_parser.c
> > +++ b/fs/fs_parser.c
> > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc,
> >  	case fs_param_is_fd: {
> >  		switch (param->type) {
> >  		case fs_value_is_string:
> > +			if (!result->has_value)
> > +				goto bad_value;
> > +
> >  			ret = kstrtouint(param->string, 0, &result->uint_32);
> >  			break;
> >  		case fs_value_is_file:
> > -- 
> > 2.17.1
> 
> Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> 
> Al, can you please apply this patch?
> 
> - Eric

Ping.  Al, when are you going to apply this?

- Eric



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux