[PATCH 4/4] btrfs-progs: fsck: Fix NULL pointer dereference for possible memory allocation failure

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: linux-btrfs@vger.kernel.org, dsterba@suse.cz
Subject: [PATCH 4/4] btrfs-progs: fsck: Fix NULL pointer dereference for possible memory allocation failure
Date: Mon, 24 Oct 2016 10:43:35 +0800	[thread overview]
Message-ID: <20161024024335.6770-4-quwenruo@cn.fujitsu.com> (raw)
In-Reply-To: <20161024024335.6770-1-quwenruo@cn.fujitsu.com>

We didn't check 'path' allocated in check_root_ref(), which can cause
NULL pointer dereference if the memory allocation failed.

Fix it by using stack memory, since the function should return error
bitmap not minus error code, we don't want memory allocation to be an
exception.

Reported-by: David Sterba <dsterba@suse.cz>
Resolves-Coverity-CID: 1372510
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
---
 cmds-check.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cmds-check.c b/cmds-check.c
index 91ed8b4..563cd55 100644
--- a/cmds-check.c
+++ b/cmds-check.c
@@ -5067,7 +5067,7 @@ out:
 static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 			  struct extent_buffer *node, int slot)
 {
-	struct btrfs_path *path;
+	struct btrfs_path path;
 	struct btrfs_key key;
 	struct btrfs_root_ref *ref;
 	struct btrfs_root_ref *backref;
@@ -5104,8 +5104,8 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 	key.type = BTRFS_ROOT_BACKREF_KEY + BTRFS_ROOT_REF_KEY - ref_key->type;
 	key.offset = ref_key->objectid;
 
-	path = btrfs_alloc_path();
-	ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+	btrfs_init_path(&path);
+	ret = btrfs_search_slot(NULL, root, &key, &path, 0, 0);
 	if (ret) {
 		err |= ROOT_REF_MISSING;
 		error("%s[%llu %llu] couldn't find relative ref",
@@ -5115,11 +5115,11 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 		goto out;
 	}
 
-	backref = btrfs_item_ptr(path->nodes[0], path->slots[0],
+	backref = btrfs_item_ptr(path.nodes[0], path.slots[0],
 				 struct btrfs_root_ref);
-	backref_dirid = btrfs_root_ref_dirid(path->nodes[0], backref);
-	backref_seq = btrfs_root_ref_sequence(path->nodes[0], backref);
-	backref_namelen = btrfs_root_ref_name_len(path->nodes[0], backref);
+	backref_dirid = btrfs_root_ref_dirid(path.nodes[0], backref);
+	backref_seq = btrfs_root_ref_sequence(path.nodes[0], backref);
+	backref_namelen = btrfs_root_ref_name_len(path.nodes[0], backref);
 
 	if (backref_namelen <= BTRFS_NAME_LEN) {
 		len = backref_namelen;
@@ -5130,7 +5130,7 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 			"ROOT_REF" : "ROOT_BACKREF",
 			key.objectid, key.offset);
 	}
-	read_extent_buffer(path->nodes[0], backref_name,
+	read_extent_buffer(path.nodes[0], backref_name,
 			   (unsigned long)(backref + 1), len);
 
 	if (ref_dirid != backref_dirid || ref_seq != backref_seq ||
@@ -5143,7 +5143,7 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 		      ref_key->objectid, ref_key->offset);
 	}
 out:
-	btrfs_free_path(path);
+	btrfs_release_path(&path);
 	return err;
 }
 
-- 
2.10.1

next prev parent reply	other threads:[~2016-10-24  2:43 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-24  2:43 [PATCH 1/4] btrfs-progs: Fix memory leak in write_raid56_with_parity Qu Wenruo
2016-10-24  2:43 ` [PATCH 2/4] btrfs-progs: fsck: Fix patch allocation check and leak in check_fs_first_inode Qu Wenruo
2016-10-24  2:43 ` [PATCH 3/4] btrfs-progs: utils: Fix NULL pointer derefernces in string_is_numerical Qu Wenruo
2016-10-24  2:43 ` Qu Wenruo [this message]
2016-10-24  3:04 ` [PATCH 1/4] btrfs-progs: Fix memory leak in write_raid56_with_parity Qu Wenruo
2016-10-25 14:35 ` David Sterba

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:91ed8b4 dfblob:563cd55 )
 OR (
bs:"[PATCH 4/4] btrfs-progs: fsck: Fix NULL pointer dereference for possible memory allocation failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161024024335.6770-4-quwenruo@cn.fujitsu.com \
    --to=quwenruo@cn.fujitsu.com \
    --cc=dsterba@suse.cz \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).