| Message ID | 20190923223437.11086-1-navid.emamdoost@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series |
|
| Related | show |
On 24.09.19 г. 1:34 ч., Navid Emamdoost wrote: > In btrfsic_mount if btrfsic_dev_state_alloc fails the allocated state > will be leaked. It needs to be released on error handling path. > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> NAK. The allocated state could have been added to a btrfsic_dev_state which in turn is linked by btrfsic_dev_state_hashtable_add. So when later ds->state is dereferenced it will case a UAF and likely result in crash. Looking at the integrity code I also don't like how it's structured e.g. if a memory error occurs then only some devices will be added to the btrfsic_dev_State_hashtable and the super block is not going to be validated at all. > --- > fs/btrfs/check-integrity.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c > index 0b52ab4cb964..8a77b0cb2db3 100644 > --- a/fs/btrfs/check-integrity.c > +++ b/fs/btrfs/check-integrity.c > @@ -2941,6 +2941,7 @@ int btrfsic_mount(struct btrfs_fs_info *fs_info, > if (NULL == ds) { > pr_info("btrfs check-integrity: kmalloc() failed!\n"); > mutex_unlock(&btrfsic_mutex); > + kvfree(state); > return -ENOMEM; > } > ds->bdev = device->bdev; >
diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c index 0b52ab4cb964..8a77b0cb2db3 100644 --- a/fs/btrfs/check-integrity.c +++ b/fs/btrfs/check-integrity.c @@ -2941,6 +2941,7 @@ int btrfsic_mount(struct btrfs_fs_info *fs_info, if (NULL == ds) { pr_info("btrfs check-integrity: kmalloc() failed!\n"); mutex_unlock(&btrfsic_mutex); + kvfree(state); return -ENOMEM; } ds->bdev = device->bdev;
In btrfsic_mount if btrfsic_dev_state_alloc fails the allocated state will be leaked. It needs to be released on error handling path. Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> --- fs/btrfs/check-integrity.c | 1 + 1 file changed, 1 insertion(+)