fs: nfs: Added pointer check

Message ID	20221206092653.28911-1-arefev@swemel.ru (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@kernel.org> From: Denis Arefev <arefev@swemel.ru> To: Trond Myklebust <trond.myklebust@hammerspace.com> Cc: Anna Schumaker <anna.schumaker@netapp.com>, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, trufanov@swemel.ru, vfh@swemel.ru Subject: [PATCH] fs: nfs: Added pointer check Date: Tue, 6 Dec 2022 12:26:53 +0300 Message-Id: <20221206092653.28911-1-arefev@swemel.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	fs: nfs: Added pointer check \| expand fs: nfs: Added pointer check

Message ID

20221206092653.28911-1-arefev@swemel.ru (mailing list archive)

State

New, archived

Headers

From: Denis Arefev <arefev@swemel.ru>
To: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: Anna Schumaker <anna.schumaker@netapp.com>,
        linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org,
        lvc-project@linuxtesting.org, trufanov@swemel.ru, vfh@swemel.ru
Subject: [PATCH] fs: nfs: Added pointer check
Date: Tue,  6 Dec 2022 12:26:53 +0300
Message-Id: <20221206092653.28911-1-arefev@swemel.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

fs: nfs: Added pointer check | expand

Commit Message

Denis Arefev Dec. 6, 2022, 9:26 a.m. UTC

Return value of a function 'xdr_inline_decode' is dereferenced at
nfs4xdr.c:5540 without checking for null,
ut it is usually checked for this function

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Denis Arefev <arefev@swemel.ru>
---
 fs/nfs/nfs4xdr.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Trond Myklebust Dec. 6, 2022, 3:30 p.m. UTC | #1

> On Dec 6, 2022, at 04:26, Denis Arefev <arefev@swemel.ru> wrote:
> 
> Return value of a function 'xdr_inline_decode' is dereferenced at
> nfs4xdr.c:5540 without checking for null,
> ut it is usually checked for this function
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Denis Arefev <arefev@swemel.ru>
> ---
> fs/nfs/nfs4xdr.c | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
> index c6dbfcae7517..571cc63ecb61 100644
> --- a/fs/nfs/nfs4xdr.c
> +++ b/fs/nfs/nfs4xdr.c
> @@ -5533,6 +5533,8 @@ static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)
> if (bitmap_words > NFS4_OP_MAP_NUM_WORDS)
> return -EIO;
> p = xdr_inline_decode(xdr, 4 * bitmap_words);
> + if (!p)
> + return -EIO;
> for (i = 0; i < bitmap_words; i++)
> op_map->u.words[i] = be32_to_cpup(p++);
> 
> -- 
> 2.25.1
> 


Again… What kernel is this for? The current code was introduced in Linux 5.16, and looks like this:

static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)
{
        if (xdr_stream_decode_uint32_array(xdr, op_map->u.words,
                                           ARRAY_SIZE(op_map->u.words)) < 0)
                return -EIO;
        return 0;
}

It does not have the problem you keep trying to report, and you patch doesn’t apply.

diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index c6dbfcae7517..571cc63ecb61 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -5533,6 +5533,8 @@  static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map)
 	if (bitmap_words > NFS4_OP_MAP_NUM_WORDS)
 		return -EIO;
 	p = xdr_inline_decode(xdr, 4 * bitmap_words);
+	if (!p)
+		return -EIO;
 	for (i = 0; i < bitmap_words; i++)
 		op_map->u.words[i] = be32_to_cpup(p++);

fs: nfs: Added pointer check

Commit Message

Comments

Patch