Syzkaller reported a NULL pointer dereference in bfs_move_block. sb_getblk may return a NULL pointer, and if unchecked this can lead to a NULL pointer dereference. This is the case in bfs_move_block, where `new` is not checked before being dereferenced in the memcpy call. This patch adds a propper check to the return value of sb_getblk, stored in `new` and ensures that any previously allocated resource, is deallocated before returning with an appropriate error code if the `new` pointer is NULL. Closes: https://syzkaller.appspot.com/bug?extid=dc6ed11a88fb40d6e184 Signed-off-by: Yuran Pereira <yuran.pereira@xxxxxxxxxxx> --- fs/bfs/file.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/bfs/file.c b/fs/bfs/file.c index adc2230079c6..8a97909b1484 100644 --- a/fs/bfs/file.c +++ b/fs/bfs/file.c @@ -38,7 +38,12 @@ static int bfs_move_block(unsigned long from, unsigned long to, bh = sb_bread(sb, from); if (!bh) return -EIO; + new = sb_getblk(sb, to); + if (!new) { + bforget(bh); + return -ENOMEM; + } memcpy(new->b_data, bh->b_data, bh->b_size); mark_buffer_dirty(new); bforget(bh); -- 2.25.1
