On 11/30/24 07:51, Nihar Chaithanya wrote: > The bug KASAN: null-ptr-deref is triggered due to *val being > dereferenced when it is null in fuse_copy_do() when performing > memcpy(). > Add a check in fuse_copy_one() to prevent this. > > Reported-by: syzbot+87b8e6ed25dbc41759f7@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=87b8e6ed25dbc41759f7 > Fixes: 3b97c3652d91 ("fuse: convert direct io to use folios") > Tested-by: syzbot+87b8e6ed25dbc41759f7@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Nihar Chaithanya <niharchaithanya@xxxxxxxxx> > --- > fs/fuse/dev.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c > index 563a0bfa0e95..9c93759ac14b 100644 > --- a/fs/fuse/dev.c > +++ b/fs/fuse/dev.c > @@ -1070,6 +1070,9 @@ static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, > /* Copy a single argument in the request to/from userspace buffer */ > static int fuse_copy_one(struct fuse_copy_state *cs, void *val, unsigned size) > { > + if (!val) > + return -EINVAL; > + > while (size) { > if (!cs->len) { > int err = fuse_copy_fill(cs); I'm going to read through Joannes patches in the evening. Without further explanation I find it unusual to have size, but no value. Thanks, Bernd
