| Message ID | 20190719232949.27978-1-nh26223.lmm@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] fs: fs_parser: avoid NULL param->string to kstrtouint | expand |
On Sat, Jul 20, 2019 at 07:29:49AM +0800, Yin Fengwei wrote: > syzbot reported general protection fault in kstrtouint: > https://lkml.org/lkml/2019/7/18/328 > > From the log, if the mount option is something like: > fd,XXXXXXXXXXXXXXXXXXXX > > The default parameter (which has NULL param->string) will be > passed to vfs_parse_fs_param. Finally, this NULL param->string > is passed to kstrtouint and trigger NULL pointer access. > > Reported-by: syzbot+398343b7c1b1b989228d@syzkaller.appspotmail.com > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > Signed-off-by: Yin Fengwei <nh26223.lmm@gmail.com> > --- > ChangeLog: > v1 -> v2: > - Fix typo in v1 > - Remove braces {} from single statement blocks > > fs/fs_parser.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > index 83b66c9e9a24..7498a44f18c0 100644 > --- a/fs/fs_parser.c > +++ b/fs/fs_parser.c > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, > case fs_param_is_fd: { > switch (param->type) { > case fs_value_is_string: > + if (!result->has_value) > + goto bad_value; > + > ret = kstrtouint(param->string, 0, &result->uint_32); > break; > case fs_value_is_file: > -- > 2.17.1 Reviewed-by: Eric Biggers <ebiggers@kernel.org> Al, can you please apply this patch? - Eric
[trimmed Cc list a bit] On Thu, Aug 15, 2019 at 07:46:56PM -0700, Eric Biggers wrote: > On Sat, Jul 20, 2019 at 07:29:49AM +0800, Yin Fengwei wrote: > > syzbot reported general protection fault in kstrtouint: > > https://lkml.org/lkml/2019/7/18/328 > > > > From the log, if the mount option is something like: > > fd,XXXXXXXXXXXXXXXXXXXX > > > > The default parameter (which has NULL param->string) will be > > passed to vfs_parse_fs_param. Finally, this NULL param->string > > is passed to kstrtouint and trigger NULL pointer access. > > > > Reported-by: syzbot+398343b7c1b1b989228d@syzkaller.appspotmail.com > > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > > > Signed-off-by: Yin Fengwei <nh26223.lmm@gmail.com> > > --- > > ChangeLog: > > v1 -> v2: > > - Fix typo in v1 > > - Remove braces {} from single statement blocks > > > > fs/fs_parser.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > > index 83b66c9e9a24..7498a44f18c0 100644 > > --- a/fs/fs_parser.c > > +++ b/fs/fs_parser.c > > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, > > case fs_param_is_fd: { > > switch (param->type) { > > case fs_value_is_string: > > + if (!result->has_value) > > + goto bad_value; > > + > > ret = kstrtouint(param->string, 0, &result->uint_32); > > break; > > case fs_value_is_file: > > -- > > 2.17.1 > > Reviewed-by: Eric Biggers <ebiggers@kernel.org> > > Al, can you please apply this patch? > > - Eric Ping. Al, when are you going to apply this? - Eric
On Wed, Aug 21, 2019 at 09:22:49PM -0700, Eric Biggers wrote: > > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > > > index 83b66c9e9a24..7498a44f18c0 100644 > > > --- a/fs/fs_parser.c > > > +++ b/fs/fs_parser.c > > > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, > > > case fs_param_is_fd: { > > > switch (param->type) { > > > case fs_value_is_string: > > > + if (!result->has_value) > > > + goto bad_value; > > > + > > > ret = kstrtouint(param->string, 0, &result->uint_32); > > > break; > > > case fs_value_is_file: > > > -- > > > 2.17.1 > > > > Reviewed-by: Eric Biggers <ebiggers@kernel.org> > > > > Al, can you please apply this patch? > > > > - Eric > > Ping. Al, when are you going to apply this? Sits in the local queue. Sorry, got seriously sidetracked into configfs mess lately, will update for-next tomorrow and push it out.
diff --git a/fs/fs_parser.c b/fs/fs_parser.c index 83b66c9e9a24..7498a44f18c0 100644 --- a/fs/fs_parser.c +++ b/fs/fs_parser.c @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, case fs_param_is_fd: { switch (param->type) { case fs_value_is_string: + if (!result->has_value) + goto bad_value; + ret = kstrtouint(param->string, 0, &result->uint_32); break; case fs_value_is_file:
syzbot reported general protection fault in kstrtouint: https://lkml.org/lkml/2019/7/18/328 From the log, if the mount option is something like: fd,XXXXXXXXXXXXXXXXXXXX The default parameter (which has NULL param->string) will be passed to vfs_parse_fs_param. Finally, this NULL param->string is passed to kstrtouint and trigger NULL pointer access. Reported-by: syzbot+398343b7c1b1b989228d@syzkaller.appspotmail.com Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") Signed-off-by: Yin Fengwei <nh26223.lmm@gmail.com> --- ChangeLog: v1 -> v2: - Fix typo in v1 - Remove braces {} from single statement blocks fs/fs_parser.c | 3 +++ 1 file changed, 3 insertions(+)