From: Eric Biggers <ebiggers@kernel.org>
To: viro@zeniv.linux.org.uk
Cc: dhowells@redhat.com, gregkh@linuxfoundation.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, miklos@szeredi.hu,
tglx@linutronix.de, Yin Fengwei <nh26223.lmm@gmail.com>,
kstewart@linuxfoundation.org
Subject: Re: [PATCH v2] fs: fs_parser: avoid NULL param->string to kstrtouint
Date: Thu, 15 Aug 2019 19:46:54 -0700 [thread overview]
Message-ID: <20190816024654.GA12185@sol.localdomain> (raw)
In-Reply-To: <20190719232949.27978-1-nh26223.lmm@gmail.com>
On Sat, Jul 20, 2019 at 07:29:49AM +0800, Yin Fengwei wrote:
> syzbot reported general protection fault in kstrtouint:
> https://lkml.org/lkml/2019/7/18/328
>
> From the log, if the mount option is something like:
> fd,XXXXXXXXXXXXXXXXXXXX
>
> The default parameter (which has NULL param->string) will be
> passed to vfs_parse_fs_param. Finally, this NULL param->string
> is passed to kstrtouint and trigger NULL pointer access.
>
> Reported-by: syzbot+398343b7c1b1b989228d@syzkaller.appspotmail.com
> Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
>
> Signed-off-by: Yin Fengwei <nh26223.lmm@gmail.com>
> ---
> ChangeLog:
> v1 -> v2:
> - Fix typo in v1
> - Remove braces {} from single statement blocks
>
> fs/fs_parser.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> index 83b66c9e9a24..7498a44f18c0 100644
> --- a/fs/fs_parser.c
> +++ b/fs/fs_parser.c
> @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc,
> case fs_param_is_fd: {
> switch (param->type) {
> case fs_value_is_string:
> + if (!result->has_value)
> + goto bad_value;
> +
> ret = kstrtouint(param->string, 0, &result->uint_32);
> break;
> case fs_value_is_file:
> --
> 2.17.1
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Al, can you please apply this patch?
- Eric
next prev parent reply other threads:[~2019-08-16 2:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-19 23:29 [PATCH v2] fs: fs_parser: avoid NULL param->string to kstrtouint Yin Fengwei
2019-08-16 2:46 ` Eric Biggers [this message]
2019-08-22 4:22 ` Eric Biggers
2019-08-22 5:33 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190816024654.GA12185@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=nh26223.lmm@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.