diff mbox series

kernel/sysctl-test: Fix potential null dereference in sysctl-test

Message ID 20250110100748.63470-1-hanchunchao@inspur.com
State Changes Requested
Headers show
Series kernel/sysctl-test: Fix potential null dereference in sysctl-test | expand

Commit Message

Charles Han Jan. 10, 2025, 10:07 a.m. UTC 
kunit_kzalloc() may return a NULL pointer, dereferencing it without
NULL check may lead to NULL dereference.
Add a NULL check for buffer.

Fixes: 2cb80dbbbaba ("kernel/sysctl-test: Add null pointer test for sysctl.c:proc_dointvec()")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
---
 kernel/sysctl-test.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

kernel test robot Jan. 11, 2025, 12:24 p.m. UTC | #1 
Hi Charles,

kernel test robot noticed the following build warnings:

[auto build test WARNING on linus/master]
[also build test WARNING on mcgrof/sysctl-next sysctl/sysctl-next v6.13-rc6 next-20250110]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Charles-Han/kernel-sysctl-test-Fix-potential-null-dereference-in-sysctl-test/20250110-181004
base:   linus/master
patch link:    https://lore.kernel.org/r/20250110100748.63470-1-hanchunchao%40inspur.com
patch subject: [PATCH] kernel/sysctl-test: Fix potential null dereference in sysctl-test
config: i386-randconfig-063-20250111 (https://download.01.org/0day-ci/archive/20250111/202501112024.fU1FgDDE-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250111/202501112024.fU1FgDDE-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501112024.fU1FgDDE-lkp@intel.com/

sparse warnings: (new ones prefixed by >>)
>> kernel/sysctl-test.c:38:9: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected void const *value @@     got void [noderef] __user *const __ptr @@
   kernel/sysctl-test.c:38:9: sparse:     expected void const *value
   kernel/sysctl-test.c:38:9: sparse:     got void [noderef] __user *const __ptr
   kernel/sysctl-test.c:47:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:47:9: sparse:     expected void *
   kernel/sysctl-test.c:47:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:47:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:47:9: sparse:     expected void *
   kernel/sysctl-test.c:47:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:56:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:56:9: sparse:     expected void *
   kernel/sysctl-test.c:56:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:56:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:56:9: sparse:     expected void *
   kernel/sysctl-test.c:56:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:85:9: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected void const *value @@     got void [noderef] __user *const __ptr @@
   kernel/sysctl-test.c:85:9: sparse:     expected void const *value
   kernel/sysctl-test.c:85:9: sparse:     got void [noderef] __user *const __ptr
   kernel/sysctl-test.c:94:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:94:9: sparse:     expected void *
   kernel/sysctl-test.c:94:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:94:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:94:9: sparse:     expected void *
   kernel/sysctl-test.c:94:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:103:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:103:9: sparse:     expected void *
   kernel/sysctl-test.c:103:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:103:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:103:9: sparse:     expected void *
   kernel/sysctl-test.c:103:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:129:9: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected void const *value @@     got void [noderef] __user *const __ptr @@
   kernel/sysctl-test.c:129:9: sparse:     expected void const *value
   kernel/sysctl-test.c:129:9: sparse:     got void [noderef] __user *const __ptr
   kernel/sysctl-test.c:136:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:136:9: sparse:     expected void *
   kernel/sysctl-test.c:136:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:136:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:136:9: sparse:     expected void *
   kernel/sysctl-test.c:136:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:140:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:140:9: sparse:     expected void *
   kernel/sysctl-test.c:140:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:140:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:140:9: sparse:     expected void *
   kernel/sysctl-test.c:140:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:164:9: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected void const *value @@     got void [noderef] __user *const __ptr @@
   kernel/sysctl-test.c:164:9: sparse:     expected void const *value
   kernel/sysctl-test.c:164:9: sparse:     got void [noderef] __user *const __ptr
   kernel/sysctl-test.c:176:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:176:9: sparse:     expected void *
   kernel/sysctl-test.c:176:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:176:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got void [noderef] __user *buffer @@
   kernel/sysctl-test.c:176:9: sparse:     expected void *
   kernel/sysctl-test.c:176:9: sparse:     got void [noderef] __user *buffer
   kernel/sysctl-test.c:206:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:206:9: sparse:     expected void *
   kernel/sysctl-test.c:206:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:206:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:206:9: sparse:     expected void *
   kernel/sysctl-test.c:206:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:237:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:237:9: sparse:     expected void *
   kernel/sysctl-test.c:237:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:237:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:237:9: sparse:     expected void *
   kernel/sysctl-test.c:237:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:269:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:269:9: sparse:     expected void *
   kernel/sysctl-test.c:269:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:269:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:269:9: sparse:     expected void *
   kernel/sysctl-test.c:269:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:300:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:300:9: sparse:     expected void *
   kernel/sysctl-test.c:300:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:300:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:300:9: sparse:     expected void *
   kernel/sysctl-test.c:300:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:341:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:341:9: sparse:     expected void *
   kernel/sysctl-test.c:341:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:341:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:341:9: sparse:     expected void *
   kernel/sysctl-test.c:341:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:374:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:374:9: sparse:     expected void *
   kernel/sysctl-test.c:374:9: sparse:     got char [noderef] __user *user_buffer
   kernel/sysctl-test.c:374:9: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void * @@     got char [noderef] __user *user_buffer @@
   kernel/sysctl-test.c:374:9: sparse:     expected void *
   kernel/sysctl-test.c:374:9: sparse:     got char [noderef] __user *user_buffer

vim +38 kernel/sysctl-test.c

    11	
    12	/*
    13	 * Test that proc_dointvec will not try to use a NULL .data field even when the
    14	 * length is non-zero.
    15	 */
    16	static void sysctl_test_api_dointvec_null_tbl_data(struct kunit *test)
    17	{
    18		struct ctl_table null_data_table = {
    19			.procname = "foo",
    20			/*
    21			 * Here we are testing that proc_dointvec behaves correctly when
    22			 * we give it a NULL .data field. Normally this would point to a
    23			 * piece of memory where the value would be stored.
    24			 */
    25			.data		= NULL,
    26			.maxlen		= sizeof(int),
    27			.mode		= 0644,
    28			.proc_handler	= proc_dointvec,
    29			.extra1		= SYSCTL_ZERO,
    30			.extra2         = SYSCTL_ONE_HUNDRED,
    31		};
    32		/*
    33		 * proc_dointvec expects a buffer in user space, so we allocate one. We
    34		 * also need to cast it to __user so sparse doesn't get mad.
    35		 */
    36		void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
    37								   GFP_USER);
  > 38		KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
    39		size_t len;
    40		loff_t pos;
    41	
    42		/*
    43		 * We don't care what the starting length is since proc_dointvec should
    44		 * not try to read because .data is NULL.
    45		 */
    46		len = 1234;
    47		KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&null_data_table,
    48						       KUNIT_PROC_READ, buffer, &len,
    49						       &pos));
    50		KUNIT_EXPECT_EQ(test, 0, len);
    51	
    52		/*
    53		 * See above.
    54		 */
    55		len = 1234;
    56		KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&null_data_table,
    57						       KUNIT_PROC_WRITE, buffer, &len,
    58						       &pos));
    59		KUNIT_EXPECT_EQ(test, 0, len);
    60	}
    61
diff mbox series

Patch

diff --git a/kernel/sysctl-test.c b/kernel/sysctl-test.c
index 3ac98bb7fb82..8c13bcff0127 100644
--- a/kernel/sysctl-test.c
+++ b/kernel/sysctl-test.c
@@ -35,6 +35,7 @@  static void sysctl_test_api_dointvec_null_tbl_data(struct kunit *test)
 	 */
 	void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
 							   GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	size_t len;
 	loff_t pos;
 
@@ -81,6 +82,7 @@  static void sysctl_test_api_dointvec_table_maxlen_unset(struct kunit *test)
 	};
 	void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
 							   GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	size_t len;
 	loff_t pos;
 
@@ -124,6 +126,7 @@  static void sysctl_test_api_dointvec_table_len_is_zero(struct kunit *test)
 	};
 	void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
 							   GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	/*
 	 * However, now our read/write buffer has zero length.
 	 */
@@ -158,6 +161,7 @@  static void sysctl_test_api_dointvec_table_read_but_position_set(
 	};
 	void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
 							   GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	/*
 	 * We don't care about our buffer length because we start off with a
 	 * non-zero file position.
@@ -194,6 +198,7 @@  static void sysctl_test_dointvec_read_happy_single_positive(struct kunit *test)
 	size_t len = 4;
 	loff_t pos = 0;
 	char *buffer = kunit_kzalloc(test, len, GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	char __user *user_buffer = (char __user *)buffer;
 	/* Store 13 in the data field. */
 	*((int *)table.data) = 13;
@@ -225,6 +230,7 @@  static void sysctl_test_dointvec_read_happy_single_negative(struct kunit *test)
 	size_t len = 5;
 	loff_t pos = 0;
 	char *buffer = kunit_kzalloc(test, len, GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	char __user *user_buffer = (char __user *)buffer;
 	*((int *)table.data) = -16;
 
@@ -255,6 +261,7 @@  static void sysctl_test_dointvec_write_happy_single_positive(struct kunit *test)
 	size_t len = sizeof(input) - 1;
 	loff_t pos = 0;
 	char *buffer = kunit_kzalloc(test, len, GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	char __user *user_buffer = (char __user *)buffer;
 
 	memcpy(buffer, input, len);
@@ -285,6 +292,7 @@  static void sysctl_test_dointvec_write_happy_single_negative(struct kunit *test)
 	size_t len = sizeof(input) - 1;
 	loff_t pos = 0;
 	char *buffer = kunit_kzalloc(test, len, GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	char __user *user_buffer = (char __user *)buffer;
 
 	memcpy(buffer, input, len);
@@ -316,6 +324,7 @@  static void sysctl_test_api_dointvec_write_single_less_int_min(
 	size_t max_len = 32, len = max_len;
 	loff_t pos = 0;
 	char *buffer = kunit_kzalloc(test, max_len, GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	char __user *user_buffer = (char __user *)buffer;
 	unsigned long abs_of_less_than_min = (unsigned long)INT_MAX
 					     - (INT_MAX + INT_MIN) + 1;
@@ -354,6 +363,7 @@  static void sysctl_test_api_dointvec_write_single_greater_int_max(
 	size_t max_len = 32, len = max_len;
 	loff_t pos = 0;
 	char *buffer = kunit_kzalloc(test, max_len, GFP_USER);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, buffer);
 	char __user *user_buffer = (char __user *)buffer;
 	unsigned long greater_than_max = (unsigned long)INT_MAX + 1;