vfs: namespace: error pointer dereference in do_remount()

Message ID	20180907122534.ojogke2alt3ldbom@kili.mountain (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Date: Fri, 7 Sep 2018 15:25:34 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Alexander Viro <viro@zeniv.linux.org.uk>, David Howells <dhowells@redhat.com> Cc: linux-fsdevel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] vfs: namespace: error pointer dereference in do_remount() Message-ID: <20180907122534.ojogke2alt3ldbom@kili.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk
Series	vfs: namespace: error pointer dereference in do_remount() \| expand vfs: namespace: error pointer dereference in do_remount()

Message ID

20180907122534.ojogke2alt3ldbom@kili.mountain (mailing list archive)

State

New, archived

Headers

Date: Fri, 7 Sep 2018 15:25:34 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
        David Howells <dhowells@redhat.com>
Cc: linux-fsdevel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] vfs: namespace: error pointer dereference in do_remount()
Message-ID: <20180907122534.ojogke2alt3ldbom@kili.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Series

vfs: namespace: error pointer dereference in do_remount() | expand

We need to check if vfs_new_fs_context() returns an error pointer. Fixes: fd0002870b45 ("vfs: Implement a filesystem superblock creation/configuration context") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Sabin Rapan Sept. 24, 2018, 6:10 a.m. UTC | #1

This patch also fixes the syzbot bug (BUG: unable to handle kernel paging
request in do_mount)
(https://syzkaller.appspot.com/bug?id=611b50e30eb1634e75688903289148fe2a042c1d)

Short description of the syzbot reproducer:
* do_mount() is called with remount flag
* vfs_new_fs_context() is called and tries to allocate a new context
* slab allocation fails due to injected fault
* an invalid context is passed to parse_monolithic_mount_data()
* kernel crash due to invalid pointer access

On 07.09.2018 15:25, Dan Carpenter wrote:
> We need to check if vfs_new_fs_context() returns an error pointer.
> 
> Fixes: fd0002870b45 ("vfs: Implement a filesystem superblock creation/configuration context")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index a240e20093e0..841517520c08 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2384,6 +2384,8 @@ static int do_remount(struct path *path, int ms_flags, int sb_flags,
>  	fc = vfs_new_fs_context(path->dentry->d_sb->s_type,
>  				path->dentry, sb_flags, MS_RMT_MASK,
>  				FS_CONTEXT_FOR_RECONFIGURE);
> +	if (IS_ERR(fc))
> +		return PTR_ERR(fc);
>  
>  	err = parse_monolithic_mount_data(fc, data, data_size);
>  	if (err < 0)
>

diff --git a/fs/namespace.c b/fs/namespace.c
index a240e20093e0..841517520c08 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2384,6 +2384,8 @@  static int do_remount(struct path *path, int ms_flags, int sb_flags,
 	fc = vfs_new_fs_context(path->dentry->d_sb->s_type,
 				path->dentry, sb_flags, MS_RMT_MASK,
 				FS_CONTEXT_FOR_RECONFIGURE);
+	if (IS_ERR(fc))
+		return PTR_ERR(fc);
 
 	err = parse_monolithic_mount_data(fc, data, data_size);
 	if (err < 0)

vfs: namespace: error pointer dereference in do_remount()

Commit Message

Comments

Patch