Patch "fs: ntfs3: Fix possible null-pointer dereferences in mi_read()" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    fs: ntfs3: Fix possible null-pointer dereferences in mi_read()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fs-ntfs3-fix-possible-null-pointer-dereferences-in-m.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 344458b6a9215d0aa365b4ffb2d809aab9af101c
Author: Jia-Ju Bai <baijiaju@xxxxxxxxxxx>
Date:   Tue Mar 21 21:22:11 2023 +0800

    fs: ntfs3: Fix possible null-pointer dereferences in mi_read()
    
    [ Upstream commit 97498cd610c0d030a7bd49a7efad974790661162 ]
    
    In a previous commit 2681631c2973 ("fs/ntfs3: Add null pointer check to
    attr_load_runs_vcn"), ni can be NULL in attr_load_runs_vcn(), and thus it
    should be checked before being used.
    
    However, in the call stack of this commit, mft_ni in mi_read() is
    aliased with ni in attr_load_runs_vcn(), and it is also used in
    mi_read() at two places:
    
    mi_read()
      rw_lock = &mft_ni->file.run_lock -> No check
      attr_load_runs_vcn(mft_ni, ...)
        ni (namely mft_ni) is checked in the previous commit
      attr_load_runs_vcn(..., &mft_ni->file.run) -> No check
    
    Thus, to avoid possible null-pointer dereferences, the related checks
    should be added.
    
    These bugs are reported by a static analysis tool implemented by myself,
    and they are found by extending a known bug fixed in the previous commit.
    Thus, they could be theoretical bugs.
    
    Signed-off-by: Jia-Ju Bai <baijiaju@xxxxxxxxxxx>
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index af1e4b364ea8e..07037ec773ac8 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -124,7 +124,7 @@ int mi_read(struct mft_inode *mi, bool is_mft)
 	struct rw_semaphore *rw_lock = NULL;
 
 	if (is_mounted(sbi)) {
-		if (!is_mft) {
+		if (!is_mft && mft_ni) {
 			rw_lock = &mft_ni->file.run_lock;
 			down_read(rw_lock);
 		}
@@ -148,7 +148,7 @@ int mi_read(struct mft_inode *mi, bool is_mft)
 		ni_lock(mft_ni);
 		down_write(rw_lock);
 	}
-	err = attr_load_runs_vcn(mft_ni, ATTR_DATA, NULL, 0, &mft_ni->file.run,
+	err = attr_load_runs_vcn(mft_ni, ATTR_DATA, NULL, 0, run,
 				 vbo >> sbi->cluster_bits);
 	if (rw_lock) {
 		up_write(rw_lock);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux