From patchwork Sun Oct 23 16:39:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 8055 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp62012wru; Sun, 23 Oct 2022 09:43:08 -0700 (PDT) X-Google-Smtp-Source: AMsMyM570ax+0/GDnkncMlf9XMuF4SgggLD/7WdUP1YeGOK2RC3w0zuOVpGBx5iIHSl8nRMa+47B X-Received: by 2002:a63:f709:0:b0:44f:6cba:3a4f with SMTP id x9-20020a63f709000000b0044f6cba3a4fmr24054763pgh.428.1666543388052; Sun, 23 Oct 2022 09:43:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666543388; cv=none; d=google.com; s=arc-20160816; b=VBdCxUNmqjd7w+i0JJ2HyxXygZ7R7ahmbdyyQwmCrEybMKZ4I/Trzqq+pzieAAOX/7 0ZvMYlstwdKJ3qqRWgV82CQf8oCvmM3J/N5jODoW/wZvET8EaSdvhc+YUuRuEYGNfCHE iuMPhy7XtUNA6SNd53HopPbSSWLHojdxiRvaue4Th4BaWeRLiwqPcV4qF/y+PlQqjUW8 yogtr0hEArx1zBcIclOM9vVP/PQLXUglY56u4A2UsEN0tiu97vVTWvfADL29xyJVV3sD 0NkpVa/GOg528TPYf0DjfbBHeUu+ot8LEb3gNiNCITIwHmTXnDgPfPSNVAnB7lGMYYdd 1xqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=g1Cu3DNts+pCDfLLsa4Q9GpOR28OVBmv+G8giTYg/EU=; b=NBWd6rF47XjtQI2r6Mjnb5f2iKpwbaERzyIHblG16197XJ4jV2LW8ygPWXGvrau36v ORqco4zPIxeeVlT9b9P0cizATU9aRk5pUPLQFrI8i9DdE1AMimlF9JdMXaxC1HrvfXoO gIMD07T3RtyKTtI8tTEqwyemc4/26k0CHRLwq/0rwX7nJRfOHEUPOAdOqGdLt9z8gWmi AyzTE8FBzSvYGBU8WIXgI639l9Egoh2frIuq3lzoxjlMhkxQp0V1tj67A0GX1Naik9mJ Azg5LiwrHa8gxuRm5tyQ41+J+hg8IfDTdZraRPPcG6KQS9FjhqLP/JwBjJIB7JElekQA Q9qw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="RO5/jO1i"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s2-20020a17090ad48200b00202b984842csi2345865pju.35.2022.10.23.09.42.55; Sun, 23 Oct 2022 09:43:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="RO5/jO1i"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229587AbiJWQlT (ORCPT + 99 others); Sun, 23 Oct 2022 12:41:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230266AbiJWQlQ (ORCPT ); Sun, 23 Oct 2022 12:41:16 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C4BB13E81; Sun, 23 Oct 2022 09:41:15 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id l22-20020a17090a3f1600b00212fbbcfb78so1454277pjc.3; Sun, 23 Oct 2022 09:41:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=g1Cu3DNts+pCDfLLsa4Q9GpOR28OVBmv+G8giTYg/EU=; b=RO5/jO1i2hC/VigegQdljK2K8JMj1QVRgMeVA4XppWM9E0aeFrN1PzhhTAxMPf0U1F GQ2E8oXQh5E7E2dpFDcJ/rdeNr0jt3tGFbkjTnX2I8QdoedkGw+U9z62ck8eWJrNmI5V KH1Z+CS6kpP6XMZtfb//JXpkvtrLbxAMJVw2GHPw4h4w9k4/dSzMISIdXIz4sN3ct/uy 87/HQgL3vcoDkTHeoaSsgEPa90ClpIsOrj4nnVv+2bACVCahuxf7tBPr8Ngt0NrPdr7t 8pOgOXXq0a2k9gfiWT6+E+8avdw9wPqZX2Iwb5/47S7QNvJPn/FDMb3WpMJmyAcpvpMg PO5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g1Cu3DNts+pCDfLLsa4Q9GpOR28OVBmv+G8giTYg/EU=; b=sGclB9WkFs+8CcAABOEFQG2I3tWtPBA0NswV4X56bf0XtJViHfCVKtWFSOj+KMU5Th Lw7HzsxQ3cxcjNfsggnX5MLNDRcqpFYOFeHHcwxZep+h6LJByWLYDJxi8jWxg6D4T5/G kWnVwQo9VNvq3MWBjF0KQKKbaC5doxxKptotB5ZVLCl+E9bt9+gIhnL6kXQ0Ka7EWYhx Qh55LOZdd4QV+K8PZIIdTT+/QP79qeuBESUQ/dg7pKm2uO4leTQhbUpkJhcFbjpcun49 glbsggwYaNYeMd0+gdPgS6DQyU17icB0MzvMYDjBVQDvnDSpCYOVZejkXbDw1jcj14CB Lh0A== X-Gm-Message-State: ACrzQf0MW1ugD1JIu4YGom1imIw2pwafMno6XZKxPBxOtoJQ3AXpf07x 8zRZyeBx20MpL1G58K0KwtaY9E3KTceGguJtPps= X-Received: by 2002:a17:90a:d14a:b0:203:7b4b:6010 with SMTP id t10-20020a17090ad14a00b002037b4b6010mr69783916pjw.237.1666543274908; Sun, 23 Oct 2022 09:41:14 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id d4-20020a631d04000000b00460d89df1f1sm16148170pgd.57.2022.10.23.09.41.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:41:14 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Steve French , Paulo Alcantara , Ronnie Sahlberg , Shyam Prasad N , Tom Talpey Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org Subject: [PATCH -next 1/5] smb3: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:43 +0800 Message-Id: <20221023163945.39920-2-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747497399401200040?= X-GMAIL-MSGID: =?utf-8?q?1747497399401200040?= According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, smb3_fs_context_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in smb3_fs_context_parse_param(). Signed-off-by: Hawkins Jiawei --- fs/cifs/fs_context.c | 58 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c index 45119597c765..7832e5d6bbb0 100644 --- a/fs/cifs/fs_context.c +++ b/fs/cifs/fs_context.c @@ -858,7 +858,8 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, * fs_parse can not handle string options with an empty value so * we will need special handling of them. */ - if (param->type == fs_value_is_string && param->string[0] == 0) { + if ((param->type == fs_value_is_string && param->string[0] == 0) || + param->type == fs_value_is_empty) { if (!strcmp("pass", param->key) || !strcmp("password", param->key)) { skip_parsing = true; opt = Opt_pass; @@ -1124,6 +1125,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, case Opt_source: kfree(ctx->UNC); ctx->UNC = NULL; + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } switch (smb3_parse_devname(param->string, ctx)) { case 0: break; @@ -1181,6 +1187,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_ip: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strlen(param->string) == 0) { ctx->got_ip = false; break; @@ -1194,6 +1205,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, ctx->got_ip = true; break; case Opt_domain: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strnlen(param->string, CIFS_MAX_DOMAINNAME_LEN) == CIFS_MAX_DOMAINNAME_LEN) { pr_warn("domain name too long\n"); @@ -1209,6 +1225,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_dbg(FYI, "Domain name set\n"); break; case Opt_srcaddr: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (!cifs_convert_address( (struct sockaddr *)&ctx->srcaddr, param->string, strlen(param->string))) { @@ -1218,6 +1239,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_iocharset: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strnlen(param->string, 1024) >= 65) { pr_warn("iocharset name too long\n"); goto cifs_parse_mount_err; @@ -1237,6 +1263,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_dbg(FYI, "iocharset set to %s\n", ctx->iocharset); break; case Opt_netbiosname: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } memset(ctx->source_rfc1001_name, 0x20, RFC1001_NAME_LEN); /* @@ -1257,6 +1288,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("netbiosname longer than 15 truncated\n"); break; case Opt_servern: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* last byte, type, is 0x20 for servr type */ memset(ctx->target_rfc1001_name, 0x20, RFC1001_NAME_LEN_WITH_NULL); @@ -1277,6 +1313,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("server netbiosname longer than 15 truncated\n"); break; case Opt_ver: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* version of mount userspace tools, not dialect */ /* If interface changes in mount.cifs bump to new ver */ if (strncasecmp(param->string, "1", 1) == 0) { @@ -1292,16 +1333,31 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("Invalid mount helper version specified\n"); goto cifs_parse_mount_err; case Opt_vers: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* protocol version (dialect) */ if (cifs_parse_smb_version(fc, param->string, ctx, is_smb3) != 0) goto cifs_parse_mount_err; ctx->got_version = true; break; case Opt_sec: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (cifs_parse_security_flavors(fc, param->string, ctx) != 0) goto cifs_parse_mount_err; break; case Opt_cache: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (cifs_parse_cache_flavor(fc, param->string, ctx) != 0) goto cifs_parse_mount_err; break; From patchwork Sun Oct 23 16:39:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 8056 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp62082wru; Sun, 23 Oct 2022 09:43:17 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7yJgUuu6zkPvBGmX9Li3mctDcrFKFQ3DCBwOAip9fevWRAz9mWbsV0Gxj0xjgI8hQU/jrQ X-Received: by 2002:a17:902:ec81:b0:185:3cea:6326 with SMTP id x1-20020a170902ec8100b001853cea6326mr29625019plg.24.1666543397040; Sun, 23 Oct 2022 09:43:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666543397; cv=none; d=google.com; s=arc-20160816; b=fNsv/PRmhWBoEWhHoDRDJcCbn1s/d3DQPDSKL3WLsOOt+/50FhUq6mCyIiAbF/nEVT WldIqbTgwqkKywpLH54HmXoih/zkFadRrV8kMJ2CFG+WhsEae5zkviKQ5P3Nkpkxu/tU YGAZvTZzSz+98ujKgpJwXJjmrSc51iKzBH7b26LMxaZetS3pI+kG+pOeJTUivjIYIzJ4 5fqofTWJOJc+SAwZDyByIgKoeTizjQByJMzPdT0wWtjjsBkBX3fblVLaZxGBcXARmu8P 7vTbhVpP2jm0Ieua0Tr3TshpYfglaySEDL8UKJ1jrx3eKLhngoSRLLlgPwBg5xB3lRBg HdCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Y2bDAIefZxbRVSM/SaH1NL1oBBLTDGxU2sWjuEVySo0=; b=T2Nng4TrUvVrbrVOt4iF7nz3Ny5ShZUjGflPhEfCRxJp4aJyHYH1RirzCXRe7eYBaO o8+//NgcBEbIuKgYyuh3PWShzUqmPKRdCEJhceLNwA1ESHchqMDHNqWzASmJIMKYUMMe 6UMiWgKP5p33lELIDVJoqnKPg8y6VGgCK4TEvbLrgoE2CpFfKXCIU/HRZpS92huDybv1 IhWQu/Dt2cPAmu5l0oWxBsctJM262h96JLtGeIxnfYgNT2r+UrZwGmwOdw6soGKR7ca+ 5ULsXumrzlIzV7egN6640ROkduqsMlzjFiyKVD6OaF/a8Czqa1i43E8RFZEAd7XMVmgP Gqng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="Al/bcK0r"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k4-20020a170902c40400b0018049a28eabsi35731864plk.617.2022.10.23.09.43.04; Sun, 23 Oct 2022 09:43:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="Al/bcK0r"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230413AbiJWQlo (ORCPT + 99 others); Sun, 23 Oct 2022 12:41:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230355AbiJWQlm (ORCPT ); Sun, 23 Oct 2022 12:41:42 -0400 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3CB665667; Sun, 23 Oct 2022 09:41:41 -0700 (PDT) Received: by mail-pg1-x52f.google.com with SMTP id q71so6804037pgq.8; Sun, 23 Oct 2022 09:41:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y2bDAIefZxbRVSM/SaH1NL1oBBLTDGxU2sWjuEVySo0=; b=Al/bcK0raH1SRXE3/4nftiI+qFU0z7u3k5IRgL6icE1yDmPYX2WINBttZZWg6W9gdw qHV+4EGaMiArBjM6MvF2wwY6mN2LVba5NOMZj/QrP/5+Bryf2WTfQlW+08VUjSMr5MG/ 13kG3W3i7TdUKHtJrSytliHcOPp9cuLRBFRAuhlht3va1ku6Xf1g7XQFZMHBzKnqsAMH Ae21n34Q7N6EUO2YWsClQUHKZZwnQnTl2NdNcEAbjYYplZ6LBpjtKQj1EwcNKC750YTE uI7vtK/s1V8cusDsD9AUW+bkBmYF9/UMTyhRCRsXOxv79AISblKjdYeq2okdLegW+Jpw MZ8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y2bDAIefZxbRVSM/SaH1NL1oBBLTDGxU2sWjuEVySo0=; b=rxm/W7eI9a0komlZLMZWCKPXIs/fD8BKPFgqGSUU0vcG/NAta5SUHft2TQlSoq/os8 AtD0T+C5m+JxcaIXFDGnFgdf4xm2Y+RZSxyqGyOhgUxVH6B9vnB9p+BZm9HOnTF7Am+C aDijTa3+TxsHf6urxkHIt4AB/HTv1OVR3993BfJcP6CvRkmASiIkgqQQB1imri+/3zCj n7gPTwfI8l0AOGZu/iWjz9P/vetGn6tNc9Viqr5jj3RgH6rz0EL7lza5gzi3ddPW09ba GK35aLFVoKjzObqrleU6QKU/s3Ibe7R2ZiDzzOoI8GrHMiiHgkCAZiTbCpLTVoZXx9dl cHjQ== X-Gm-Message-State: ACrzQf0I3brjG7BhCcw15Y7QxNdUXqE5/1urXm8Uy5E3KiyoK2J3d2pX jYzMYtgMaLA9li44uSueZMA= X-Received: by 2002:a05:6a00:27a1:b0:566:8937:27c2 with SMTP id bd33-20020a056a0027a100b00566893727c2mr29010630pfb.24.1666543301375; Sun, 23 Oct 2022 09:41:41 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id f7-20020a170902684700b0017a04542a45sm5618366pln.159.2022.10.23.09.41.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:41:41 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Trond Myklebust , Anna Schumaker Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH -next 2/5] nfs: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:45 +0800 Message-Id: <20221023163945.39920-3-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747497409146552710?= X-GMAIL-MSGID: =?utf-8?q?1747497409146552710?= According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, nfs_fs_context_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in nfs_fs_context_parse_param(). Signed-off-by: Hawkins Jiawei Reviewed-by: Jeff Layton --- fs/nfs/fs_context.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c index 4da701fd1424..0c330bc13ef2 100644 --- a/fs/nfs/fs_context.c +++ b/fs/nfs/fs_context.c @@ -684,6 +684,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, return ret; break; case Opt_vers: + if (!param->string) + goto out_invalid_value; trace_nfs_mount_assign(param->key, param->string); ret = nfs_parse_version_string(fc, param->string); if (ret < 0) @@ -696,6 +698,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, break; case Opt_proto: + if (!param->string) + goto out_invalid_value; trace_nfs_mount_assign(param->key, param->string); protofamily = AF_INET; switch (lookup_constant(nfs_xprt_protocol_tokens, param->string, -1)) { @@ -732,6 +736,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, break; case Opt_mountproto: + if (!param->string) + goto out_invalid_value; trace_nfs_mount_assign(param->key, param->string); mountfamily = AF_INET; switch (lookup_constant(nfs_xprt_protocol_tokens, param->string, -1)) { From patchwork Sun Oct 23 16:39:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 8057 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp62166wru; Sun, 23 Oct 2022 09:43:38 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5OKT5QGAv/YKzELtYj3MAj4rETQ8bzhEfOfemXeFJIk6tP4xMqa70ddAjWtLNX1p1VNv0A X-Received: by 2002:a63:2c13:0:b0:46b:274a:3e2b with SMTP id s19-20020a632c13000000b0046b274a3e2bmr24187409pgs.241.1666543418235; Sun, 23 Oct 2022 09:43:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666543418; cv=none; d=google.com; s=arc-20160816; b=X+5nsexv3BnbvGnSRzlYMzTj8zExRNaCrVnARXNIqwfreIG/CaKfO6vhFMeCacHFGS WkwJ1SI2UBHXCxylaE/0fbYJc3LjLUbzbXjc+GgLHXL//OVImViGXNA45Vr/0SBzaEOi httZ+DC13VxRpJxhqO543Tgh9532vuB7bqWG1f2gJduRN1b8RkIQ+kmcYfmsdW/yzb/s VldptwbAMZo7uM/77+LwZ//nBgSOov7XNraEEzKwaNC8ft87GuStrbUQdo5fDXEISRZ1 1aDWm4ILh0magxjZJjuD5RUruYFFZAnfUnoGy8hIpsrkhIZmr43a7NipIYG7VuDszGbY cqAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=y/JN3nDWwlvz0zr+zWQj4q64audZwnviw+yHCDgZXPo=; b=uPldvYL7YdzsA7QFCW/V60H6ybbOx5AZo3Cc6Rnf3QpCLJnmtmbZ+SEMNt17g+oQ0l 1YBq9Mn37oqd95fMYSRsoUiJBcVFjdGjQdCULrmghgj9YeDPNzaP4ecST8Y6RblRVK/9 ZFhksX8uM2ORkb5OIgoA1I7/4QCouSovYbnV78d8+k98Li1L86lArg0yJfbtwRz8ilf4 M6cIyPyH4aub2oipcxwIAUV/pC6bzAYH8FRkfDp85Ban9lzxV1sfxDxuOvq3iwtSYGSY bXHRkjb5dOAdd7JnKm2ApOKEREPqbz2wJ5j8uxQfCEC9zannXtP0bBVZe+HVMSrSqvnQ pIFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=gZsn90LX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m21-20020a17090b069500b00205ee3e845bsi8214757pjz.116.2022.10.23.09.43.25; Sun, 23 Oct 2022 09:43:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=gZsn90LX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230420AbiJWQmS (ORCPT + 99 others); Sun, 23 Oct 2022 12:42:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229772AbiJWQmR (ORCPT ); Sun, 23 Oct 2022 12:42:17 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 095A130F7A; Sun, 23 Oct 2022 09:42:17 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id m6-20020a17090a5a4600b00212f8dffec9so1650133pji.0; Sun, 23 Oct 2022 09:42:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=y/JN3nDWwlvz0zr+zWQj4q64audZwnviw+yHCDgZXPo=; b=gZsn90LXl5nV61F9U0RAcTQqSQZdYebM2knsbimY3UTaxWa5vVVyv5Nk2qgPQ22FBc R3+gW5rWNzdCx3xJ8nDUsQJCwpWKlLcPAk7rlAoMMIo92R4T+Z0iTtqBop0YDAWHs9uK 2tan3wUNJhE0AA84wdSBWgHglSZuhsKsdV24N1z/dVDwodFJUJJohTdTb10aZ3q7kyzO HN8qm+ZCa2pmsgf1LrSkVov9bijdkrdeRB0k9Uia8aPI/O6KNyjbly4gzuWnPv9ZB2bF 7ATVOQvh2cDtNLGkksEIYvsD7ENevD2AoUF08EZmvjHvK7eTsNXc9avLnmyMo0JJomzs onjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y/JN3nDWwlvz0zr+zWQj4q64audZwnviw+yHCDgZXPo=; b=kTfl7I6DZkaUDpwh1ZHpudf8xmU4sVgiaaqKz2D108AxcV0O0tKm+jIngfO8IGpH7P /Ji8LZMgT1v5IC5LJ/EcMtr2AfQxejZur7VDmRGyT9XYLUwIkqh73WY+rS/ZuSwTy/Vq VqJkZRbffMI29aoi8Lt/35z4RTBYHFVfaZDbaDGRIPW7ZDU/10hNHUjvUrqVDX2Hhxcr DTQRqBHwXUkPnkbvH/ZnCTYvWpszDxmEF5Ys1XeGyCur/0IE46AqW0ZrSEIrAkK6pH4Q cw/7cwb78XmVHk1W/ZTo4XX0HXT6zjD7aZRHKsLj2UQR84j43qkeoU4m4ILuDayQl/XG EmYQ== X-Gm-Message-State: ACrzQf3aTw9uhw+F9DoOn5itSi565IL5CbP8reuIlcOo+SMdGzT+NJuh 9FtgPNV4ePV5911pbu6ItQo= X-Received: by 2002:a17:90b:38d1:b0:20d:8f2a:c4c4 with SMTP id nn17-20020a17090b38d100b0020d8f2ac4c4mr67611720pjb.192.1666543336554; Sun, 23 Oct 2022 09:42:16 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id y199-20020a6264d0000000b0056b9a740ec2sm2259225pfb.156.2022.10.23.09.42.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:42:16 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Xiubo Li , Ilya Dryomov , Jeff Layton Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, ceph-devel@vger.kernel.org Subject: [PATCH -next 3/5] ceph: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:47 +0800 Message-Id: <20221023163945.39920-4-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747497431228008095?= X-GMAIL-MSGID: =?utf-8?q?1747497431228008095?= According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, ceph_parse_mount_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in ceph_parse_mount_param(). Signed-off-by: Hawkins Jiawei --- fs/ceph/super.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ceph/super.c b/fs/ceph/super.c index 3fc48b43cab0..341e23fe29eb 100644 --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -417,6 +417,9 @@ static int ceph_parse_mount_param(struct fs_context *fc, param->string = NULL; break; case Opt_mds_namespace: + if (!param->string) + return invalfc(fc, "Bad value '%s' for mount option '%s'\n", + param->string, param->key); if (!namespace_equals(fsopt, param->string, strlen(param->string))) return invalfc(fc, "Mismatching mds_namespace"); kfree(fsopt->mds_namespace); From patchwork Sun Oct 23 16:39:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 8058 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp62933wru; Sun, 23 Oct 2022 09:46:31 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6Kwn1Z/XBYIVPDU5goXp9d0qU/rCYeqT9fXgcRFpPtw3hmF8o5KsnHgh/KM36XmuQG0QEc X-Received: by 2002:aa7:818f:0:b0:562:dc99:8a84 with SMTP id g15-20020aa7818f000000b00562dc998a84mr29397647pfi.30.1666543591483; Sun, 23 Oct 2022 09:46:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666543591; cv=none; d=google.com; s=arc-20160816; b=LEtBJB/o2hyC5rzjN3218QaNzTuPe7jxJZD0nNp1ROXh+0IEPPLVaWXa9d4evAfiRs 4ZtKmo6yRK548Z6uOzZYUeiQ9KUYnYeSSD3QshFxMJg7HGSMOpqtRToCshzdYP6oQqRm NCtjjE2iWp2rmCxUU/AIQZy0Ox4tIrc8TdMHBZbaEzpNuZPCMljezQAD8ePhROlbPoQz qwMyvvk4xFB4z7IN7QvW++WWVg+L/c/NUMEwi0tWbg1lJfvLCCPGMgP3Sq1fmPwylhwe WOavt4XYQ95ILg6nc/xwa77kPytusVDckgIrkTIv8k7PSCdVx0NbFinPqxHZpeElNbys +SSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=7FA3CfjwFWzAnFbI8NyRJA0/XOu8yldPHiMeYItKgCg=; b=0y6mir3sjYTBPRK4S5UMsc0rgdcUABQQ+S2U7LBE+FHsx42/Wr2EyzVsB2FiBk0gAP /KnDDOuvP8oWTYD7uQ3hOq9taJThTgM8r4SztH0dQH0q4omuXwFkwL59uSU3/XS8r0TO E26S53f8KzB1DxcOF2/CqBI05Xb3cPY0UJTFI6bCIVAp8lHH5fIsfJ4CUWMGN55fxt79 9Nd3tEmM7zQQnrN66uZY5pURfCKvHIp1e2GhE4cSr91GnxqTMnDfkAmOuFIn62hkwboJ 0sJRfnuCROHaZDpuoht33QC9ul9lgHs2c3vu5Y1390Ht1w40L8rEycbFO4bJytpPKZIC e3zQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WZP8Cgm6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mw6-20020a17090b4d0600b00212d63cd243si7391873pjb.109.2022.10.23.09.46.17; Sun, 23 Oct 2022 09:46:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WZP8Cgm6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230456AbiJWQnE (ORCPT + 99 others); Sun, 23 Oct 2022 12:43:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229772AbiJWQm5 (ORCPT ); Sun, 23 Oct 2022 12:42:57 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A478B7287D; Sun, 23 Oct 2022 09:42:53 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id i3-20020a17090a3d8300b00212cf2e2af9so6111390pjc.1; Sun, 23 Oct 2022 09:42:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7FA3CfjwFWzAnFbI8NyRJA0/XOu8yldPHiMeYItKgCg=; b=WZP8Cgm6X9azLSrPQ0HfKLqBJx6cVZQTs6bFNuPdAPDFm+wb2k0DxmDjIXLvbCVD2M TzCZ2ZDyGjj5RKoDyRP5qaS+p2RkFeU9q480aQCim/cG39I+0ke181O26mAEaV/5tmtt 97q+H6+pEVdIUo9jlXSi8pC7MpzCHb8gR0KwY04HBIEZLG1YkCafnRzlqypz4AE2eOoB nCiVUfKe993XIUA31VDPfKURNOmX7sme/Vv6jieFtFPhLWvo7tNWSvPEXFmCEHFYjlFI P9UZcExgtnoYgC1P2Vgvp6cD1szLzzuP24KDCyCN8BjN+n4RlAM1X9dcz91fJqKl+k1B /s+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7FA3CfjwFWzAnFbI8NyRJA0/XOu8yldPHiMeYItKgCg=; b=dqA8FgiIm7gG91ntZsY2wuOkgAElJlUNmAyT50im0AoVL/qQ7NUHGUtj593Of++yCO ug3FqlB/77PQWK+pv+kTLwSFSS28OSSpq8N0QMf/VdzjNgC8cfORKWnEsgMzqhVvX1vt TWZyJZmonSTa81tGhzLohJIjwKBSZiUk9nC/+fW8IOODk4xH6upN0qt+ckDi7u/0mx2P L97NmygVByHKCqK4yt17KBxlwduv/hyJ/ZaZoLFAdWhfd0ljHZSDn1q4a2pNC7Iku7vT Tqym3avT+2OMfYPKm9AaYOJSi+8ifQVhg90uZJJDuCWXKMrZKcDdx+27IiBVbqlUU02E 47OA== X-Gm-Message-State: ACrzQf2gTGMlkfjlfPIC727d3C+kjMCAh6mpbvToj3ejzdziJ0zZ0IbJ 8Bd6SuOLb7MVe32uwkNamBI= X-Received: by 2002:a17:90b:2241:b0:20d:b273:26af with SMTP id hk1-20020a17090b224100b0020db27326afmr32726399pjb.245.1666543372029; Sun, 23 Oct 2022 09:42:52 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id l14-20020a65560e000000b004411a054d2dsm16327345pgs.82.2022.10.23.09.42.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:42:51 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Bob Peterson , Andreas Gruenbacher Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, syzbot+da97a57c5b742d05db51@syzkaller.appspotmail.com, cluster-devel@redhat.com, syzkaller-bugs@googlegroups.com Subject: [PATCH -next 4/5] gfs2: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:49 +0800 Message-Id: <20221023163945.39920-5-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747497612930856617?= X-GMAIL-MSGID: =?utf-8?q?1747497612930856617?= According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, gfs2_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in gfs2_parse_param(). Reported-by: syzbot+da97a57c5b742d05db51@syzkaller.appspotmail.com Tested-by: syzbot+da97a57c5b742d05db51@syzkaller.appspotmail.com Cc: agruenba@redhat.com Cc: cluster-devel@redhat.com Cc: linux-kernel@vger.kernel.org Cc: rpeterso@redhat.com Cc: syzkaller-bugs@googlegroups.com Signed-off-by: Hawkins Jiawei --- fs/gfs2/ops_fstype.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index c0cf1d2d0ef5..934746f18c25 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -1446,12 +1446,18 @@ static int gfs2_parse_param(struct fs_context *fc, struct fs_parameter *param) switch (o) { case Opt_lockproto: + if (!param->string) + goto bad_val; strscpy(args->ar_lockproto, param->string, GFS2_LOCKNAME_LEN); break; case Opt_locktable: + if (!param->string) + goto bad_val; strscpy(args->ar_locktable, param->string, GFS2_LOCKNAME_LEN); break; case Opt_hostdata: + if (!param->string) + goto bad_val; strscpy(args->ar_hostdata, param->string, GFS2_LOCKNAME_LEN); break; case Opt_spectator: @@ -1535,6 +1541,10 @@ static int gfs2_parse_param(struct fs_context *fc, struct fs_parameter *param) return invalfc(fc, "invalid mount option: %s", param->key); } return 0; + +bad_val: + return invalfc(fc, "Bad value '%s' for mount option '%s'\n", + param->string, param->key); } static int gfs2_reconfigure(struct fs_context *fc) From patchwork Sun Oct 23 16:39:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 8059 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp63082wru; Sun, 23 Oct 2022 09:46:54 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5JOl71emyFpn4PpurNrd3o5jQdR5twPxYvsjpO38FTGCGlqjNjGxqbl21C02N5LpX93WYA X-Received: by 2002:a17:902:c944:b0:186:a7d7:c3b with SMTP id i4-20020a170902c94400b00186a7d70c3bmr1560764pla.55.1666543613831; Sun, 23 Oct 2022 09:46:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666543613; cv=none; d=google.com; s=arc-20160816; b=y2Fz19YRfbvCwmVrR20Fk483hBuo8aJlozL30bfWFf2LfOtPGvm4h0FyOIHtxowsAb zA9SVXUeVIbZfMUrVBpg7T9vffiZwIdd4dP7XiWYzbH0+oVLGA4pMue4YfnZv3bS5fMn sts6Mo5pDzgdtOkrGhnKKil5GTTlKNeTTqansU2BuLM+N4Gz58ezYIMP8ObrJjAVnJJR joYFSK8VnX27JiDK4sZ5XOp7/gAibxa01NiRlAAdBy4m4OXY8gOW8VSb/pn7D0MAUMmN fb1rKV4w+hVx9QAUUlUIFI6I14zyQHjUknVJV78RXSQMaawAOtK3HgAB1QRBw0GxluNe fzSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PWdKBK100G137ePLJZr7SsyGe/cg6oRLKCkeoRrPIPo=; b=rYYaauWP637ze6QLZINxG5g2huuMCxrOob1cw6KHomIjUw2HWhbB0/lfO9GhaoRvYv 1ai3ntGCfzGAUxGVv4X6BXvm8SrqjSig++7J55moLEvxbzmmuprt6ZsCwOKFaID67q9M rLe3mHuNFCh0vdjH8hWQPOu8Zf/kWQVXRQez4cvIscGkQS0SyvP+WttFezldStWc8VJ7 hONe0zbnCsdZYSKGfMA5hG4XVGOXUugLf7xO5rAD+qWBucCvwESGKkfiYzk/OBsn4WhZ 046euvA6Rda2bUgPTfFLQ9W1dg3HvX2UqzBlkCbq9GA5th4XHdVzJu2TpI7uksjpA9FY lhdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Puu4zOrl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i23-20020a63e917000000b00434cc1d3b6asi33100901pgh.68.2022.10.23.09.46.41; Sun, 23 Oct 2022 09:46:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Puu4zOrl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230437AbiJWQnZ (ORCPT + 99 others); Sun, 23 Oct 2022 12:43:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230161AbiJWQnX (ORCPT ); Sun, 23 Oct 2022 12:43:23 -0400 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBF036EF07; Sun, 23 Oct 2022 09:43:20 -0700 (PDT) Received: by mail-pg1-x52c.google.com with SMTP id 20so6820047pgc.5; Sun, 23 Oct 2022 09:43:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PWdKBK100G137ePLJZr7SsyGe/cg6oRLKCkeoRrPIPo=; b=Puu4zOrlu1SOJ0TTr60mNTaYFimaMnCTlIQSpZ7MuZJNWOsz5B7Jnh5Q2iq5TZUvfU DmjvbVyZXk2MaWyEFn9L75XKoD+t90BrEe1aT6DD4lPZH9c9PSZug5sWCcK6bMdZGtBs yyqdqSUYiXHLG5UzRNNcJ6+A4MZR6jHm4fP6fWFT5/pqEqWHaaSuZPz3Fj7np9GUq/Wv S/uK20hEweG4pjIjqLLcF1WXZNwDnKI5Ll+EST/86aXTHs8c1PKa0SwJpu1IQiXeBCLt UaNcYKFldx8jp/z8zV6k8dIDlpDcZtd/2hej4RU2OtQDNK8xYpTqla8COuCs+mRzXN3p hgHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PWdKBK100G137ePLJZr7SsyGe/cg6oRLKCkeoRrPIPo=; b=SVm+NIAjzU5r5a788obpJ0NRIyMRCRocfIwEkhCyQ/8xqcctctnVh/UrC9XJjQ0MJU vg47NqEBwRRZYJnV0jiVc1yLBRjjP5pnQsKopLhwUZWsaotFceH17HswuMZaBpyGcgk4 XNjSFftNWI/gE7CNZQSjuhPHFlrNQEs2lPxnNsnE/aBsoHFSsJxpfL72HlNlTM4tgmYa Nj8cq0GcCK4mui5njSHJd2Xh01VUzTUNaLLJa8UkT5ADHutmT4+6NPcM44PqYCqEhUuS rSL7n4ZBPKfpxQZ/PNZGHLMZkxpYxQaCSWmtZi8pURsa0Iwgqm6irYLTs18qjjLrTn1w lN/g== X-Gm-Message-State: ACrzQf2P9bIQismigyuJDb6LIsNQ05+Ag+y5Y2Opdovw+qB5YAlZkPtN O+DOdK6Y6F4WcoDpwSBgRZ71gtZuzQTmLlNYPIE= X-Received: by 2002:a63:480e:0:b0:46e:b96c:4f89 with SMTP id v14-20020a63480e000000b0046eb96c4f89mr11199609pga.201.1666543399790; Sun, 23 Oct 2022 09:43:19 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id k76-20020a62844f000000b0056b91044485sm2688499pfd.133.2022.10.23.09.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:43:19 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH -next 5/5] proc: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:51 +0800 Message-Id: <20221023163945.39920-6-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747497636259501204?= X-GMAIL-MSGID: =?utf-8?q?1747497636259501204?= According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, proc_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in proc_parse_param(). Signed-off-by: Hawkins Jiawei --- fs/proc/root.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/root.c b/fs/proc/root.c index 3c2ee3eb1138..5346809dc3c3 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -130,6 +130,9 @@ static int proc_parse_param(struct fs_context *fc, struct fs_parameter *param) break; case Opt_subset: + if (!param->string) + return invalfc(fc, "Bad value '%s' for mount option '%s'\n", + param->string, param->key); if (proc_parse_subset_param(fc, param->string) < 0) return -EINVAL; break;