From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Fedor Pchelkin <pchelkin@ispras.ru>,
Simon Horman <horms@kernel.org>,
Christian Schoenebeck <linux_oss@crudebyte.com>,
Dominique Martinet <asmadeus@codewreck.org>
Subject: [PATCH 4.14 18/21] net: 9p: avoid freeing uninit memory in p9pdu_vreadf
Date: Fri, 5 Jan 2024 15:39:05 +0100 [thread overview]
Message-ID: <20240105143812.350697010@linuxfoundation.org> (raw)
In-Reply-To: <20240105143811.536282337@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit ff49bf1867578f23a5ffdd38f927f6e1e16796c4 upstream.
If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
the error path is not handled properly. *wnames or members of *wnames
array may be left uninitialized and invalidly freed.
Initialize *wnames to NULL in beginning of case 'T'. Initialize the first
*wnames array element to NULL and nullify the failing *wnames element so
that the error path freeing loop stops on the first NULL element and
doesn't proceed further.
Found by Linux Verification Center (linuxtesting.org).
Fixes: ace51c4dd2f9 ("9p: add new protocol support code")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Message-ID: <20231206200913.16135-1-pchelkin@ispras.ru>
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/9p/protocol.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -243,6 +243,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
uint16_t *nwname = va_arg(ap, uint16_t *);
char ***wnames = va_arg(ap, char ***);
+ *wnames = NULL;
+
errcode = p9pdu_readf(pdu, proto_version,
"w", nwname);
if (!errcode) {
@@ -251,6 +253,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
GFP_NOFS);
if (!*wnames)
errcode = -ENOMEM;
+ else
+ (*wnames)[0] = NULL;
}
if (!errcode) {
@@ -262,8 +266,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
proto_version,
"s",
&(*wnames)[i]);
- if (errcode)
+ if (errcode) {
+ (*wnames)[i] = NULL;
break;
+ }
}
}
@@ -271,11 +277,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
if (*wnames) {
int i;
- for (i = 0; i < *nwname; i++)
+ for (i = 0; i < *nwname; i++) {
+ if (!(*wnames)[i])
+ break;
kfree((*wnames)[i]);
+ }
+ kfree(*wnames);
+ *wnames = NULL;
}
- kfree(*wnames);
- *wnames = NULL;
}
}
break;
next prev parent reply other threads:[~2024-01-05 14:39 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-05 14:38 [PATCH 4.14 00/21] 4.14.335-rc1 review Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 01/21] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 02/21] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 03/21] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 04/21] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 05/21] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 06/21] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 07/21] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 08/21] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 09/21] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 10/21] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 11/21] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-05 14:38 ` [PATCH 4.14 12/21] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 13/21] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 14/21] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 15/21] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 16/21] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 17/21] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-05 14:39 ` Greg Kroah-Hartman [this message]
2024-01-05 14:39 ` [PATCH 4.14 19/21] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 20/21] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-01-05 14:39 ` [PATCH 4.14 21/21] block: Dont invalidate pagecache for invalid falloc modes Greg Kroah-Hartman
2024-01-05 16:23 ` [PATCH 4.14 00/21] 4.14.335-rc1 review Jon Hunter
2024-01-06 8:39 ` Greg Kroah-Hartman
2024-01-05 17:13 ` Daniel Díaz
2024-01-05 20:39 ` Alexis Lothoré
2024-01-06 8:39 ` Greg Kroah-Hartman
2024-01-05 21:32 ` Pavel Machek
2024-01-06 5:56 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240105143812.350697010@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=asmadeus@codewreck.org \
--cc=horms@kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=patches@lists.linux.dev \
--cc=pchelkin@ispras.ru \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.