From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jia-Ju Bai <baijiaju1990@gmail.com>,
Joseph Qi <joseph.qi@linux.alibaba.com>,
Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
Junxiao Bi <junxiao.bi@oracle.com>,
Changwei Ge <gechangwei@live.cn>, Gang He <ghe@suse.com>,
Jun Piao <piaojun@huawei.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.4 14/21] fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()
Date: Fri, 18 Oct 2019 18:10:00 -0400 [thread overview]
Message-ID: <20191018221007.10851-14-sashal@kernel.org> (raw)
In-Reply-To: <20191018221007.10851-1-sashal@kernel.org>
From: Jia-Ju Bai <baijiaju1990@gmail.com>
[ Upstream commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d ]
In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to
check whether loc->xl_entry is NULL:
if (loc->xl_entry)
When loc->xl_entry is NULL, it is used on line 2158:
ocfs2_xa_add_entry(loc, name_hash);
loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
and line 2164:
ocfs2_xa_add_namevalue(loc, xi);
loc->xl_entry->xe_value_size = cpu_to_le64(xi->xi_value_len);
loc->xl_entry->xe_name_len = xi->xi_name_len;
Thus, possible null-pointer dereferences may occur.
To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry()
abnormally returns with -EINVAL.
These bugs are found by a static analysis tool STCheck written by us.
[akpm@linux-foundation.org: remove now-unused ocfs2_xa_add_entry()]
Link: http://lkml.kernel.org/r/20190726101447.9153-1-baijiaju1990@gmail.com
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/xattr.c | 56 ++++++++++++++++++++----------------------------
1 file changed, 23 insertions(+), 33 deletions(-)
diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 06faa608e5622..dfa6d45dc4dc4 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -1475,18 +1475,6 @@ static int ocfs2_xa_check_space(struct ocfs2_xa_loc *loc,
return loc->xl_ops->xlo_check_space(loc, xi);
}
-static void ocfs2_xa_add_entry(struct ocfs2_xa_loc *loc, u32 name_hash)
-{
- loc->xl_ops->xlo_add_entry(loc, name_hash);
- loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash);
- /*
- * We can't leave the new entry's xe_name_offset at zero or
- * add_namevalue() will go nuts. We set it to the size of our
- * storage so that it can never be less than any other entry.
- */
- loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size);
-}
-
static void ocfs2_xa_add_namevalue(struct ocfs2_xa_loc *loc,
struct ocfs2_xattr_info *xi)
{
@@ -2118,29 +2106,31 @@ static int ocfs2_xa_prepare_entry(struct ocfs2_xa_loc *loc,
if (rc)
goto out;
- if (loc->xl_entry) {
- if (ocfs2_xa_can_reuse_entry(loc, xi)) {
- orig_value_size = loc->xl_entry->xe_value_size;
- rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
- if (rc)
- goto out;
- goto alloc_value;
- }
+ if (!loc->xl_entry) {
+ rc = -EINVAL;
+ goto out;
+ }
- if (!ocfs2_xattr_is_local(loc->xl_entry)) {
- orig_clusters = ocfs2_xa_value_clusters(loc);
- rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
- if (rc) {
- mlog_errno(rc);
- ocfs2_xa_cleanup_value_truncate(loc,
- "overwriting",
- orig_clusters);
- goto out;
- }
+ if (ocfs2_xa_can_reuse_entry(loc, xi)) {
+ orig_value_size = loc->xl_entry->xe_value_size;
+ rc = ocfs2_xa_reuse_entry(loc, xi, ctxt);
+ if (rc)
+ goto out;
+ goto alloc_value;
+ }
+
+ if (!ocfs2_xattr_is_local(loc->xl_entry)) {
+ orig_clusters = ocfs2_xa_value_clusters(loc);
+ rc = ocfs2_xa_value_truncate(loc, 0, ctxt);
+ if (rc) {
+ mlog_errno(rc);
+ ocfs2_xa_cleanup_value_truncate(loc,
+ "overwriting",
+ orig_clusters);
+ goto out;
}
- ocfs2_xa_wipe_namevalue(loc);
- } else
- ocfs2_xa_add_entry(loc, name_hash);
+ }
+ ocfs2_xa_wipe_namevalue(loc);
/*
* If we get here, we have a blank entry. Fill it. We grow our
--
2.20.1
next prev parent reply other threads:[~2019-10-18 22:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-18 22:09 [PATCH AUTOSEL 4.4 01/21] sc16is7xx: Fix for "Unexpected interrupt: 8" Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 02/21] x86/cpu: Add Atom Tremont (Jacobsville) Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 03/21] scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 04/21] usb: handle warm-reset port requests on hub resume Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 05/21] exec: load_script: Do not exec truncated interpreter path Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 06/21] iio: fix center temperature of bmc150-accel-core Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 07/21] perf map: Fix overlapped map handling Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 08/21] RDMA/iwcm: Fix a lock inversion issue Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 09/21] nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 10/21] fs: cifs: mute -Wunused-const-variable message Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 11/21] serial: mctrl_gpio: Check for NULL pointer Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 12/21] efi/cper: Fix endianness of PCIe class code Sasha Levin
2019-10-18 22:09 ` [PATCH AUTOSEL 4.4 13/21] efi/x86: Do not clean dummy variable in kexec path Sasha Levin
2019-10-18 22:10 ` Sasha Levin [this message]
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 15/21] fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() Sasha Levin
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 16/21] iio: adc: ad799x: fix probe error handling Sasha Levin
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 17/21] iio: light: opt3001: fix mutex unlock race Sasha Levin
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 18/21] MIPS: fw: sni: Fix out of bounds init of o32 stack Sasha Levin
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 19/21] USB: usb-skeleton: fix use-after-free after driver unbind Sasha Levin
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 20/21] NFSv4: Fix leak of clp->cl_acceptor string Sasha Levin
2019-10-18 22:10 ` [PATCH AUTOSEL 4.4 21/21] tracing: Initialize iter->seq after zeroing in tracing_read_pipe() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191018221007.10851-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=baijiaju1990@gmail.com \
--cc=gechangwei@live.cn \
--cc=ghe@suse.com \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=junxiao.bi@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=piaojun@huawei.com \
--cc=sfr@canb.auug.org.au \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.