[PATCH] fs/reiserfs: Null check to prevent null-ptr-deref bug

Xiaochen Zou <xzou017@xxxxxxx> · Fri, 5 Jan 2024 11:48:32 -0800

It's necessary to perform a null check on the return value of
sb_getblk() to prevent null-ptr-deref bugs

Signed-off-by: Xiaochen Zou <xzou017@xxxxxxx>
---
 fs/reiserfs/fix_node.c |  2 ++
 fs/reiserfs/journal.c  | 13 ++++++++++++-
 fs/reiserfs/stree.c    |  2 ++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/fs/reiserfs/fix_node.c b/fs/reiserfs/fix_node.c
index 6c13a8d9a73c..cfa2520a34c3 100644
--- a/fs/reiserfs/fix_node.c
+++ b/fs/reiserfs/fix_node.c
@@ -888,6 +888,8 @@ static int get_empty_nodes(struct tree_balance *tb, int h)
 		       "PAP-8135: reiserfs_new_blocknrs failed when got new blocks");
 
 		new_bh = sb_getblk(sb, *blocknr);
+		if (unlikely(!new_bh))
+			return -ENOMEM;
 		RFALSE(buffer_dirty(new_bh) ||
 		       buffer_journaled(new_bh) ||
 		       buffer_journal_dirty(new_bh),
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 171c912af50f..c8e6e9c07f31 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -2115,6 +2115,7 @@ static int journal_read_transaction(struct super_block *sb,
 	struct reiserfs_journal_desc *desc;
 	struct reiserfs_journal_commit *commit;
 	unsigned int trans_id = 0;
+	int err = 0;
 	struct buffer_head *c_bh;
 	struct buffer_head *d_bh;
 	struct buffer_head **log_blocks = NULL;
@@ -2209,11 +2210,19 @@ static int journal_read_transaction(struct super_block *sb,
 			real_blocks[i] =
 			    sb_getblk(sb,
 				      le32_to_cpu(desc->j_realblock[i]));
+			if (unlikely(!real_blocks[i])) {
+				err = -ENOMEM;
+				goto out;
+			}
 		} else {
 			real_blocks[i] =
 			    sb_getblk(sb,
 				      le32_to_cpu(commit->
 						  j_realblock[i - trans_half]));
+			if (unlikely(!real_blocks[i])) {
+				err = -ENOMEM;
+				goto out;
+			}
 		}
 		if (real_blocks[i]->b_blocknr > SB_BLOCK_COUNT(sb)) {
 			reiserfs_warning(sb, "journal-1207",
@@ -2300,11 +2309,13 @@ static int journal_read_transaction(struct super_block *sb,
 	/* check for trans_id overflow */
 	if (journal->j_trans_id == 0)
 		journal->j_trans_id = 10;
+
+out:
 	brelse(c_bh);
 	brelse(d_bh);
 	kfree(log_blocks);
 	kfree(real_blocks);
-	return 0;
+	return err;
 }
 
 /*
diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
index 2138ee7d271d..eee861680348 100644
--- a/fs/reiserfs/stree.c
+++ b/fs/reiserfs/stree.c
@@ -562,6 +562,8 @@ static int search_by_key_reada(struct super_block *s,
 
 	for (i = 0; i < num; i++) {
 		bh[i] = sb_getblk(s, b[i]);
+		if (unlikely(!bh[i]))
+			return -ENOMEM;
 	}
 	/*
 	 * We are going to read some blocks on which we
-- 
2.25.1








