From patchwork Sun Oct 23 16:39:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 13016331 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2577AFA373E for ; Sun, 23 Oct 2022 16:41:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230294AbiJWQlS (ORCPT ); Sun, 23 Oct 2022 12:41:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230266AbiJWQlQ (ORCPT ); Sun, 23 Oct 2022 12:41:16 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C4BB13E81; Sun, 23 Oct 2022 09:41:15 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id l22-20020a17090a3f1600b00212fbbcfb78so1454277pjc.3; Sun, 23 Oct 2022 09:41:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=g1Cu3DNts+pCDfLLsa4Q9GpOR28OVBmv+G8giTYg/EU=; b=RO5/jO1i2hC/VigegQdljK2K8JMj1QVRgMeVA4XppWM9E0aeFrN1PzhhTAxMPf0U1F GQ2E8oXQh5E7E2dpFDcJ/rdeNr0jt3tGFbkjTnX2I8QdoedkGw+U9z62ck8eWJrNmI5V KH1Z+CS6kpP6XMZtfb//JXpkvtrLbxAMJVw2GHPw4h4w9k4/dSzMISIdXIz4sN3ct/uy 87/HQgL3vcoDkTHeoaSsgEPa90ClpIsOrj4nnVv+2bACVCahuxf7tBPr8Ngt0NrPdr7t 8pOgOXXq0a2k9gfiWT6+E+8avdw9wPqZX2Iwb5/47S7QNvJPn/FDMb3WpMJmyAcpvpMg PO5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g1Cu3DNts+pCDfLLsa4Q9GpOR28OVBmv+G8giTYg/EU=; b=sGclB9WkFs+8CcAABOEFQG2I3tWtPBA0NswV4X56bf0XtJViHfCVKtWFSOj+KMU5Th Lw7HzsxQ3cxcjNfsggnX5MLNDRcqpFYOFeHHcwxZep+h6LJByWLYDJxi8jWxg6D4T5/G kWnVwQo9VNvq3MWBjF0KQKKbaC5doxxKptotB5ZVLCl+E9bt9+gIhnL6kXQ0Ka7EWYhx Qh55LOZdd4QV+K8PZIIdTT+/QP79qeuBESUQ/dg7pKm2uO4leTQhbUpkJhcFbjpcun49 glbsggwYaNYeMd0+gdPgS6DQyU17icB0MzvMYDjBVQDvnDSpCYOVZejkXbDw1jcj14CB Lh0A== X-Gm-Message-State: ACrzQf0MW1ugD1JIu4YGom1imIw2pwafMno6XZKxPBxOtoJQ3AXpf07x 8zRZyeBx20MpL1G58K0KwtaY9E3KTceGguJtPps= X-Google-Smtp-Source: AMsMyM5b9uLKDgvKeqOL6QRiWjFfI+W3L+9H/bOOcjuUrY5OrLVFjNSUX12EDlenDf538ZZxmDgdOQ== X-Received: by 2002:a17:90a:d14a:b0:203:7b4b:6010 with SMTP id t10-20020a17090ad14a00b002037b4b6010mr69783916pjw.237.1666543274908; Sun, 23 Oct 2022 09:41:14 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id d4-20020a631d04000000b00460d89df1f1sm16148170pgd.57.2022.10.23.09.41.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:41:14 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Steve French , Paulo Alcantara , Ronnie Sahlberg , Shyam Prasad N , Tom Talpey Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org Subject: [PATCH -next 1/5] smb3: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:43 +0800 Message-Id: <20221023163945.39920-2-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, smb3_fs_context_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in smb3_fs_context_parse_param(). Signed-off-by: Hawkins Jiawei --- fs/cifs/fs_context.c | 58 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/fs/cifs/fs_context.c b/fs/cifs/fs_context.c index 45119597c765..7832e5d6bbb0 100644 --- a/fs/cifs/fs_context.c +++ b/fs/cifs/fs_context.c @@ -858,7 +858,8 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, * fs_parse can not handle string options with an empty value so * we will need special handling of them. */ - if (param->type == fs_value_is_string && param->string[0] == 0) { + if ((param->type == fs_value_is_string && param->string[0] == 0) || + param->type == fs_value_is_empty) { if (!strcmp("pass", param->key) || !strcmp("password", param->key)) { skip_parsing = true; opt = Opt_pass; @@ -1124,6 +1125,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, case Opt_source: kfree(ctx->UNC); ctx->UNC = NULL; + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } switch (smb3_parse_devname(param->string, ctx)) { case 0: break; @@ -1181,6 +1187,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_ip: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strlen(param->string) == 0) { ctx->got_ip = false; break; @@ -1194,6 +1205,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, ctx->got_ip = true; break; case Opt_domain: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strnlen(param->string, CIFS_MAX_DOMAINNAME_LEN) == CIFS_MAX_DOMAINNAME_LEN) { pr_warn("domain name too long\n"); @@ -1209,6 +1225,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_dbg(FYI, "Domain name set\n"); break; case Opt_srcaddr: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (!cifs_convert_address( (struct sockaddr *)&ctx->srcaddr, param->string, strlen(param->string))) { @@ -1218,6 +1239,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, } break; case Opt_iocharset: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (strnlen(param->string, 1024) >= 65) { pr_warn("iocharset name too long\n"); goto cifs_parse_mount_err; @@ -1237,6 +1263,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, cifs_dbg(FYI, "iocharset set to %s\n", ctx->iocharset); break; case Opt_netbiosname: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } memset(ctx->source_rfc1001_name, 0x20, RFC1001_NAME_LEN); /* @@ -1257,6 +1288,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("netbiosname longer than 15 truncated\n"); break; case Opt_servern: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* last byte, type, is 0x20 for servr type */ memset(ctx->target_rfc1001_name, 0x20, RFC1001_NAME_LEN_WITH_NULL); @@ -1277,6 +1313,11 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("server netbiosname longer than 15 truncated\n"); break; case Opt_ver: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* version of mount userspace tools, not dialect */ /* If interface changes in mount.cifs bump to new ver */ if (strncasecmp(param->string, "1", 1) == 0) { @@ -1292,16 +1333,31 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, pr_warn("Invalid mount helper version specified\n"); goto cifs_parse_mount_err; case Opt_vers: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } /* protocol version (dialect) */ if (cifs_parse_smb_version(fc, param->string, ctx, is_smb3) != 0) goto cifs_parse_mount_err; ctx->got_version = true; break; case Opt_sec: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (cifs_parse_security_flavors(fc, param->string, ctx) != 0) goto cifs_parse_mount_err; break; case Opt_cache: + if (!param->string) { + cifs_errorf(fc, "Bad value '(null)' for mount option '%s'\n", + param->key); + goto cifs_parse_mount_err; + } if (cifs_parse_cache_flavor(fc, param->string, ctx) != 0) goto cifs_parse_mount_err; break; From patchwork Sun Oct 23 16:39:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 13016335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2995FA373E for ; Sun, 23 Oct 2022 16:41:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230401AbiJWQln (ORCPT ); Sun, 23 Oct 2022 12:41:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230355AbiJWQlm (ORCPT ); Sun, 23 Oct 2022 12:41:42 -0400 Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3CB665667; Sun, 23 Oct 2022 09:41:41 -0700 (PDT) Received: by mail-pg1-x52f.google.com with SMTP id q71so6804037pgq.8; Sun, 23 Oct 2022 09:41:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y2bDAIefZxbRVSM/SaH1NL1oBBLTDGxU2sWjuEVySo0=; b=Al/bcK0raH1SRXE3/4nftiI+qFU0z7u3k5IRgL6icE1yDmPYX2WINBttZZWg6W9gdw qHV+4EGaMiArBjM6MvF2wwY6mN2LVba5NOMZj/QrP/5+Bryf2WTfQlW+08VUjSMr5MG/ 13kG3W3i7TdUKHtJrSytliHcOPp9cuLRBFRAuhlht3va1ku6Xf1g7XQFZMHBzKnqsAMH Ae21n34Q7N6EUO2YWsClQUHKZZwnQnTl2NdNcEAbjYYplZ6LBpjtKQj1EwcNKC750YTE uI7vtK/s1V8cusDsD9AUW+bkBmYF9/UMTyhRCRsXOxv79AISblKjdYeq2okdLegW+Jpw MZ8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y2bDAIefZxbRVSM/SaH1NL1oBBLTDGxU2sWjuEVySo0=; b=rxm/W7eI9a0komlZLMZWCKPXIs/fD8BKPFgqGSUU0vcG/NAta5SUHft2TQlSoq/os8 AtD0T+C5m+JxcaIXFDGnFgdf4xm2Y+RZSxyqGyOhgUxVH6B9vnB9p+BZm9HOnTF7Am+C aDijTa3+TxsHf6urxkHIt4AB/HTv1OVR3993BfJcP6CvRkmASiIkgqQQB1imri+/3zCj n7gPTwfI8l0AOGZu/iWjz9P/vetGn6tNc9Viqr5jj3RgH6rz0EL7lza5gzi3ddPW09ba GK35aLFVoKjzObqrleU6QKU/s3Ibe7R2ZiDzzOoI8GrHMiiHgkCAZiTbCpLTVoZXx9dl cHjQ== X-Gm-Message-State: ACrzQf0I3brjG7BhCcw15Y7QxNdUXqE5/1urXm8Uy5E3KiyoK2J3d2pX jYzMYtgMaLA9li44uSueZMA= X-Google-Smtp-Source: AMsMyM7irLWDlav1VeIiY5mui3ckyNhI3n2zU5dxXGRJ0JYZXVfYymRXmX9OmNkmEthf8F8HB6u5Zw== X-Received: by 2002:a05:6a00:27a1:b0:566:8937:27c2 with SMTP id bd33-20020a056a0027a100b00566893727c2mr29010630pfb.24.1666543301375; Sun, 23 Oct 2022 09:41:41 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id f7-20020a170902684700b0017a04542a45sm5618366pln.159.2022.10.23.09.41.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:41:41 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Trond Myklebust , Anna Schumaker Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH -next 2/5] nfs: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:45 +0800 Message-Id: <20221023163945.39920-3-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, nfs_fs_context_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in nfs_fs_context_parse_param(). Signed-off-by: Hawkins Jiawei Reviewed-by: Jeff Layton --- fs/nfs/fs_context.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c index 4da701fd1424..0c330bc13ef2 100644 --- a/fs/nfs/fs_context.c +++ b/fs/nfs/fs_context.c @@ -684,6 +684,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, return ret; break; case Opt_vers: + if (!param->string) + goto out_invalid_value; trace_nfs_mount_assign(param->key, param->string); ret = nfs_parse_version_string(fc, param->string); if (ret < 0) @@ -696,6 +698,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, break; case Opt_proto: + if (!param->string) + goto out_invalid_value; trace_nfs_mount_assign(param->key, param->string); protofamily = AF_INET; switch (lookup_constant(nfs_xprt_protocol_tokens, param->string, -1)) { @@ -732,6 +736,8 @@ static int nfs_fs_context_parse_param(struct fs_context *fc, break; case Opt_mountproto: + if (!param->string) + goto out_invalid_value; trace_nfs_mount_assign(param->key, param->string); mountfamily = AF_INET; switch (lookup_constant(nfs_xprt_protocol_tokens, param->string, -1)) { From patchwork Sun Oct 23 16:39:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 13016336 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F4089FA373E for ; Sun, 23 Oct 2022 16:42:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230392AbiJWQmS (ORCPT ); Sun, 23 Oct 2022 12:42:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229772AbiJWQmR (ORCPT ); Sun, 23 Oct 2022 12:42:17 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 095A130F7A; Sun, 23 Oct 2022 09:42:17 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id m6-20020a17090a5a4600b00212f8dffec9so1650133pji.0; Sun, 23 Oct 2022 09:42:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=y/JN3nDWwlvz0zr+zWQj4q64audZwnviw+yHCDgZXPo=; b=gZsn90LXl5nV61F9U0RAcTQqSQZdYebM2knsbimY3UTaxWa5vVVyv5Nk2qgPQ22FBc R3+gW5rWNzdCx3xJ8nDUsQJCwpWKlLcPAk7rlAoMMIo92R4T+Z0iTtqBop0YDAWHs9uK 2tan3wUNJhE0AA84wdSBWgHglSZuhsKsdV24N1z/dVDwodFJUJJohTdTb10aZ3q7kyzO HN8qm+ZCa2pmsgf1LrSkVov9bijdkrdeRB0k9Uia8aPI/O6KNyjbly4gzuWnPv9ZB2bF 7ATVOQvh2cDtNLGkksEIYvsD7ENevD2AoUF08EZmvjHvK7eTsNXc9avLnmyMo0JJomzs onjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y/JN3nDWwlvz0zr+zWQj4q64audZwnviw+yHCDgZXPo=; b=kTfl7I6DZkaUDpwh1ZHpudf8xmU4sVgiaaqKz2D108AxcV0O0tKm+jIngfO8IGpH7P /Ji8LZMgT1v5IC5LJ/EcMtr2AfQxejZur7VDmRGyT9XYLUwIkqh73WY+rS/ZuSwTy/Vq VqJkZRbffMI29aoi8Lt/35z4RTBYHFVfaZDbaDGRIPW7ZDU/10hNHUjvUrqVDX2Hhxcr DTQRqBHwXUkPnkbvH/ZnCTYvWpszDxmEF5Ys1XeGyCur/0IE46AqW0ZrSEIrAkK6pH4Q cw/7cwb78XmVHk1W/ZTo4XX0HXT6zjD7aZRHKsLj2UQR84j43qkeoU4m4ILuDayQl/XG EmYQ== X-Gm-Message-State: ACrzQf3aTw9uhw+F9DoOn5itSi565IL5CbP8reuIlcOo+SMdGzT+NJuh 9FtgPNV4ePV5911pbu6ItQo= X-Google-Smtp-Source: AMsMyM5zNx6aq+Gv68lpF7ZJA9MebNHteDpkuxTUQkSuQuvYV7T9nBmrooZ0dTjV6fKFMK4f9zkD9Q== X-Received: by 2002:a17:90b:38d1:b0:20d:8f2a:c4c4 with SMTP id nn17-20020a17090b38d100b0020d8f2ac4c4mr67611720pjb.192.1666543336554; Sun, 23 Oct 2022 09:42:16 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id y199-20020a6264d0000000b0056b9a740ec2sm2259225pfb.156.2022.10.23.09.42.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:42:16 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Xiubo Li , Ilya Dryomov , Jeff Layton Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, ceph-devel@vger.kernel.org Subject: [PATCH -next 3/5] ceph: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:47 +0800 Message-Id: <20221023163945.39920-4-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, ceph_parse_mount_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in ceph_parse_mount_param(). Signed-off-by: Hawkins Jiawei --- fs/ceph/super.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ceph/super.c b/fs/ceph/super.c index 3fc48b43cab0..341e23fe29eb 100644 --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -417,6 +417,9 @@ static int ceph_parse_mount_param(struct fs_context *fc, param->string = NULL; break; case Opt_mds_namespace: + if (!param->string) + return invalfc(fc, "Bad value '%s' for mount option '%s'\n", + param->string, param->key); if (!namespace_equals(fsopt, param->string, strlen(param->string))) return invalfc(fc, "Mismatching mds_namespace"); kfree(fsopt->mds_namespace); From patchwork Sun Oct 23 16:39:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 13016337 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1DF3C3A59D for ; Sun, 23 Oct 2022 16:43:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230438AbiJWQnC (ORCPT ); Sun, 23 Oct 2022 12:43:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229772AbiJWQm5 (ORCPT ); Sun, 23 Oct 2022 12:42:57 -0400 Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A478B7287D; Sun, 23 Oct 2022 09:42:53 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id i3-20020a17090a3d8300b00212cf2e2af9so6111390pjc.1; Sun, 23 Oct 2022 09:42:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7FA3CfjwFWzAnFbI8NyRJA0/XOu8yldPHiMeYItKgCg=; b=WZP8Cgm6X9azLSrPQ0HfKLqBJx6cVZQTs6bFNuPdAPDFm+wb2k0DxmDjIXLvbCVD2M TzCZ2ZDyGjj5RKoDyRP5qaS+p2RkFeU9q480aQCim/cG39I+0ke181O26mAEaV/5tmtt 97q+H6+pEVdIUo9jlXSi8pC7MpzCHb8gR0KwY04HBIEZLG1YkCafnRzlqypz4AE2eOoB nCiVUfKe993XIUA31VDPfKURNOmX7sme/Vv6jieFtFPhLWvo7tNWSvPEXFmCEHFYjlFI P9UZcExgtnoYgC1P2Vgvp6cD1szLzzuP24KDCyCN8BjN+n4RlAM1X9dcz91fJqKl+k1B /s+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7FA3CfjwFWzAnFbI8NyRJA0/XOu8yldPHiMeYItKgCg=; b=dqA8FgiIm7gG91ntZsY2wuOkgAElJlUNmAyT50im0AoVL/qQ7NUHGUtj593Of++yCO ug3FqlB/77PQWK+pv+kTLwSFSS28OSSpq8N0QMf/VdzjNgC8cfORKWnEsgMzqhVvX1vt TWZyJZmonSTa81tGhzLohJIjwKBSZiUk9nC/+fW8IOODk4xH6upN0qt+ckDi7u/0mx2P L97NmygVByHKCqK4yt17KBxlwduv/hyJ/ZaZoLFAdWhfd0ljHZSDn1q4a2pNC7Iku7vT Tqym3avT+2OMfYPKm9AaYOJSi+8ifQVhg90uZJJDuCWXKMrZKcDdx+27IiBVbqlUU02E 47OA== X-Gm-Message-State: ACrzQf2gTGMlkfjlfPIC727d3C+kjMCAh6mpbvToj3ejzdziJ0zZ0IbJ 8Bd6SuOLb7MVe32uwkNamBI= X-Google-Smtp-Source: AMsMyM40fDEaMu1U8tJRTMY+sHRA0xmLSZnl9K9jBoNEYmEqS9JOVVwXD5ULmpHw6bBd6ChXhql8sQ== X-Received: by 2002:a17:90b:2241:b0:20d:b273:26af with SMTP id hk1-20020a17090b224100b0020db27326afmr32726399pjb.245.1666543372029; Sun, 23 Oct 2022 09:42:52 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id l14-20020a65560e000000b004411a054d2dsm16327345pgs.82.2022.10.23.09.42.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:42:51 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com, Bob Peterson , Andreas Gruenbacher Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, syzbot+da97a57c5b742d05db51@syzkaller.appspotmail.com, cluster-devel@redhat.com, syzkaller-bugs@googlegroups.com Subject: [PATCH -next 4/5] gfs2: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:49 +0800 Message-Id: <20221023163945.39920-5-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, gfs2_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in gfs2_parse_param(). Reported-by: syzbot+da97a57c5b742d05db51@syzkaller.appspotmail.com Tested-by: syzbot+da97a57c5b742d05db51@syzkaller.appspotmail.com Cc: agruenba@redhat.com Cc: cluster-devel@redhat.com Cc: linux-kernel@vger.kernel.org Cc: rpeterso@redhat.com Cc: syzkaller-bugs@googlegroups.com Signed-off-by: Hawkins Jiawei --- fs/gfs2/ops_fstype.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index c0cf1d2d0ef5..934746f18c25 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -1446,12 +1446,18 @@ static int gfs2_parse_param(struct fs_context *fc, struct fs_parameter *param) switch (o) { case Opt_lockproto: + if (!param->string) + goto bad_val; strscpy(args->ar_lockproto, param->string, GFS2_LOCKNAME_LEN); break; case Opt_locktable: + if (!param->string) + goto bad_val; strscpy(args->ar_locktable, param->string, GFS2_LOCKNAME_LEN); break; case Opt_hostdata: + if (!param->string) + goto bad_val; strscpy(args->ar_hostdata, param->string, GFS2_LOCKNAME_LEN); break; case Opt_spectator: @@ -1535,6 +1541,10 @@ static int gfs2_parse_param(struct fs_context *fc, struct fs_parameter *param) return invalfc(fc, "invalid mount option: %s", param->key); } return 0; + +bad_val: + return invalfc(fc, "Bad value '%s' for mount option '%s'\n", + param->string, param->key); } static int gfs2_reconfigure(struct fs_context *fc) From patchwork Sun Oct 23 16:39:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hawkins Jiawei X-Patchwork-Id: 13016338 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA074ECAAA1 for ; Sun, 23 Oct 2022 16:43:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230226AbiJWQnZ (ORCPT ); Sun, 23 Oct 2022 12:43:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230161AbiJWQnX (ORCPT ); Sun, 23 Oct 2022 12:43:23 -0400 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBF036EF07; Sun, 23 Oct 2022 09:43:20 -0700 (PDT) Received: by mail-pg1-x52c.google.com with SMTP id 20so6820047pgc.5; Sun, 23 Oct 2022 09:43:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PWdKBK100G137ePLJZr7SsyGe/cg6oRLKCkeoRrPIPo=; b=Puu4zOrlu1SOJ0TTr60mNTaYFimaMnCTlIQSpZ7MuZJNWOsz5B7Jnh5Q2iq5TZUvfU DmjvbVyZXk2MaWyEFn9L75XKoD+t90BrEe1aT6DD4lPZH9c9PSZug5sWCcK6bMdZGtBs yyqdqSUYiXHLG5UzRNNcJ6+A4MZR6jHm4fP6fWFT5/pqEqWHaaSuZPz3Fj7np9GUq/Wv S/uK20hEweG4pjIjqLLcF1WXZNwDnKI5Ll+EST/86aXTHs8c1PKa0SwJpu1IQiXeBCLt UaNcYKFldx8jp/z8zV6k8dIDlpDcZtd/2hej4RU2OtQDNK8xYpTqla8COuCs+mRzXN3p hgHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PWdKBK100G137ePLJZr7SsyGe/cg6oRLKCkeoRrPIPo=; b=SVm+NIAjzU5r5a788obpJ0NRIyMRCRocfIwEkhCyQ/8xqcctctnVh/UrC9XJjQ0MJU vg47NqEBwRRZYJnV0jiVc1yLBRjjP5pnQsKopLhwUZWsaotFceH17HswuMZaBpyGcgk4 XNjSFftNWI/gE7CNZQSjuhPHFlrNQEs2lPxnNsnE/aBsoHFSsJxpfL72HlNlTM4tgmYa Nj8cq0GcCK4mui5njSHJd2Xh01VUzTUNaLLJa8UkT5ADHutmT4+6NPcM44PqYCqEhUuS rSL7n4ZBPKfpxQZ/PNZGHLMZkxpYxQaCSWmtZi8pURsa0Iwgqm6irYLTs18qjjLrTn1w lN/g== X-Gm-Message-State: ACrzQf2P9bIQismigyuJDb6LIsNQ05+Ag+y5Y2Opdovw+qB5YAlZkPtN O+DOdK6Y6F4WcoDpwSBgRZ71gtZuzQTmLlNYPIE= X-Google-Smtp-Source: AMsMyM65pgebUloJXLq+xVGbHYKl50ABueurFVNJn3ofh6qpAEZU/8PfAdDk6oBGDvkc7U64FrLhng== X-Received: by 2002:a63:480e:0:b0:46e:b96c:4f89 with SMTP id v14-20020a63480e000000b0046eb96c4f89mr11199609pga.201.1666543399790; Sun, 23 Oct 2022 09:43:19 -0700 (PDT) Received: from localhost ([223.104.41.250]) by smtp.gmail.com with ESMTPSA id k76-20020a62844f000000b0056b91044485sm2688499pfd.133.2022.10.23.09.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 09:43:19 -0700 (PDT) From: Hawkins Jiawei To: yin31149@gmail.com Cc: 18801353760@163.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH -next 5/5] proc: fix possible null-ptr-deref when parsing param Date: Mon, 24 Oct 2022 00:39:51 +0800 Message-Id: <20221023163945.39920-6-yin31149@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221023163945.39920-1-yin31149@gmail.com> References: <20221023163945.39920-1-yin31149@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, proc_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in proc_parse_param(). Signed-off-by: Hawkins Jiawei --- fs/proc/root.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/root.c b/fs/proc/root.c index 3c2ee3eb1138..5346809dc3c3 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -130,6 +130,9 @@ static int proc_parse_param(struct fs_context *fc, struct fs_parameter *param) break; case Opt_subset: + if (!param->string) + return invalfc(fc, "Bad value '%s' for mount option '%s'\n", + param->string, param->key); if (proc_parse_subset_param(fc, param->string) < 0) return -EINVAL; break;