[PATCH v1] fs/super.c: Add NULL check for type in iterate_supers

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type
@ 2025-04-02  3:45 Xiaole He
  2025-04-02 11:38 ` James Bottomley
  2025-04-03  8:01 ` Christian Brauner
  0 siblings, 2 replies; 5+ messages in thread
From: Xiaole He @ 2025-04-02  3:45 UTC (permalink / raw)
  To: viro, brauner; +Cc: jack, linux-fsdevel, linux-kernel, Xiaole He

The first several lines of iterate_supers_type are below:

1 void iterate_supers_type(struct file_system_type *type,
2 	void (*f)(struct super_block *, void *), void *arg)
3 {
4 	struct super_block *sb, *p = NULL;
5
6 	spin_lock(&sb_lock);
7 	hlist_for_each_entry(sb, &type->fs_supers, s_instances) {
8 	...
9 }

The iterate_super_type is a exported symbol, and if iterate_supers_type
is called with type of NULL, then there will be a NULL pointer
dereference of argument type in line 7.

This patch fix above problem by adding NULL pointer check for argument
type.

Signed-off-by: Xiaole He <hexiaole1994@126.com>
---
 fs/super.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/super.c b/fs/super.c
index 5a7db4a556e3..105a275b8360 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -959,6 +959,8 @@ void iterate_supers_type(struct file_system_type *type,
 {
 	struct super_block *sb, *p = NULL;
 
+	if (unlikely(ZERO_OR_NULL_PTR(type)))
+		return;
 	spin_lock(&sb_lock);
 	hlist_for_each_entry(sb, &type->fs_supers, s_instances) {
 		bool locked;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type
  2025-04-02  3:45 [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type Xiaole He
@ 2025-04-02 11:38 ` James Bottomley
       [not found]   ` <4ee2fdcb.1854a.195f9828c86.Coremail.hexiaole1994@126.com>
  2025-04-03  8:01 ` Christian Brauner
  1 sibling, 1 reply; 5+ messages in thread
From: James Bottomley @ 2025-04-02 11:38 UTC (permalink / raw)
  To: Xiaole He, viro, brauner; +Cc: jack, linux-fsdevel, linux-kernel

On Wed, 2025-04-02 at 11:45 +0800, Xiaole He wrote:
> The first several lines of iterate_supers_type are below:
> 
> 1 void iterate_supers_type(struct file_system_type *type,
> 2 	void (*f)(struct super_block *, void *), void *arg)
> 3 {
> 4 	struct super_block *sb, *p = NULL;
> 5
> 6 	spin_lock(&sb_lock);
> 7 	hlist_for_each_entry(sb, &type->fs_supers, s_instances) {
> 8 	...
> 9 }
> 
> The iterate_super_type is a exported symbol, and if
> iterate_supers_type is called with type of NULL, then there will be a
> NULL pointer dereference of argument type in line 7.

filesystem_type is an argument to alloc_super, which the filesystems
code always fills in.  If a filesystem passed a NULL type to the
context, the initialization code would crash on a NULL deref (iterating
type->fs_supers) which makes what you're checking for here an
impossible condition, doesn't it?

Regards,

James


^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <4ee2fdcb.1854a.195f9828c86.Coremail.hexiaole1994@126.com>]

* Re: [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type
       [not found]   ` <4ee2fdcb.1854a.195f9828c86.Coremail.hexiaole1994@126.com>
@ 2025-04-03  2:47     ` Al Viro
       [not found]       ` <75a45193.18746.195f9a088c4.Coremail.hexiaole1994@126.com>
  0 siblings, 1 reply; 5+ messages in thread
From: Al Viro @ 2025-04-03  2:47 UTC (permalink / raw)
  To: Xiaole He
  Cc: James Bottomley, brauner@kernel.org, jack@suse.cz,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org

On Thu, Apr 03, 2025 at 10:37:17AM +0800, Xiaole He wrote:
> Thank you for your feedback.
> While I acknowledge your points, I would like to clarify the rationale
> behind submitting this patch.
> During my experimentation with an external module interacting with the
> superblock, I utilized iterate_supers_type (from fs/super.c) as it is
> an exported symbol. However, I observed a potential vulnerability in
> its implementation: the type argument can be passed as NULL, leading
> to a null pointer dereference. To verify this, I deliberately triggered
> a scenario where type was set to NULL, resulting in the following dmesg
> output:

> After this observasion, I worry about if this vulnerability can cause
> the whole kernel crash if the type argument is passed by a
> unintentional NULL in the kernel code rather than in the external
> module.
> Thus I submitted the patch to address the missing null-check.
> Thank you for your review.

You do realize that passing it NULL as the second (function pointer) argument
would also oops, right?  Passing (void (*)(struct super_block *))kfree
there would do even more unpleasant things, etc.

Sure, it's exported - so's strlen().  While we are at it, checking just for
NULL is not the limit - what if the caller gives it ERR_PTR(...) as argument?

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <75a45193.18746.195f9a088c4.Coremail.hexiaole1994@126.com>]

* Re: [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type
       [not found]       ` <75a45193.18746.195f9a088c4.Coremail.hexiaole1994@126.com>
@ 2025-04-03  3:50         ` Al Viro
  0 siblings, 0 replies; 5+ messages in thread
From: Al Viro @ 2025-04-03  3:50 UTC (permalink / raw)
  To: Xiaole He
  Cc: James Bottomley, brauner@kernel.org, jack@suse.cz,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org

On Thu, Apr 03, 2025 at 11:10:02AM +0800, Xiaole He wrote:
> Thank you for your thoughtfully feedback.
> I think you are right, and I'm sorry for my pedantic anxiety.
> So if we just ignore this patch for now, or I should submit a bug
> report to kernel community in order to invite more thorough fix?
> Thanks for your patient again.

I don't believe that adding random checks would make any sense -
same as for any library function, really.

Having the documentation slightly more clear would make sense,
though; currently it's

 *      iterate_supers_type - call function for superblocks of given type
 *      @type: fs type
 *      @f: function to call
 *      @arg: argument to pass to it
 *
 *      Scans the superblock list and calls given function, passing it
 *      locked superblock and given argument.

and description could've been better.  The weakest part in there is,
IMO, "the superblock list" - there is a global list of all superblocks
(inventively called 'super_blocks'), but that's not what gets scanned;
the list of superblocks of given type (type->fs_supers) we iterate
through.

Something along the lines of "Call given callback @f for all superblocks
of given type.  The first argument passed to @f points to a locked superblock
that belongs to @type; the second is a caller-supplied opaque pointer @arg.
The caller is responsible for passing @arg that would make a valid second
argument for @f - compiler can't help here" might be a starting point,
but I'm not up to turning that into proper English.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type
  2025-04-02  3:45 [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type Xiaole He
  2025-04-02 11:38 ` James Bottomley
@ 2025-04-03  8:01 ` Christian Brauner
  1 sibling, 0 replies; 5+ messages in thread
From: Christian Brauner @ 2025-04-03  8:01 UTC (permalink / raw)
  To: Xiaole He; +Cc: viro, jack, linux-fsdevel, linux-kernel

On Wed, Apr 02, 2025 at 11:45:29AM +0800, Xiaole He wrote:
> The first several lines of iterate_supers_type are below:
> 
> 1 void iterate_supers_type(struct file_system_type *type,
> 2 	void (*f)(struct super_block *, void *), void *arg)
> 3 {
> 4 	struct super_block *sb, *p = NULL;
> 5
> 6 	spin_lock(&sb_lock);
> 7 	hlist_for_each_entry(sb, &type->fs_supers, s_instances) {
> 8 	...
> 9 }
> 
> The iterate_super_type is a exported symbol, and if iterate_supers_type
> is called with type of NULL, then there will be a NULL pointer
> dereference of argument type in line 7.
> 
> This patch fix above problem by adding NULL pointer check for argument
> type.
> 
> Signed-off-by: Xiaole He <hexiaole1994@126.com>
> ---

Both Al and James already pointed out that this check is unnecessary and
ultimately misleading. So we're not going to accept this patch.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-04-03  8:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-02  3:45 [PATCH v1] fs/super.c: Add NULL check for type in iterate_supers_type Xiaole He
2025-04-02 11:38 ` James Bottomley
     [not found]   ` <4ee2fdcb.1854a.195f9828c86.Coremail.hexiaole1994@126.com>
2025-04-03  2:47     ` Al Viro
     [not found]       ` <75a45193.18746.195f9a088c4.Coremail.hexiaole1994@126.com>
2025-04-03  3:50         ` Al Viro
2025-04-03  8:01 ` Christian Brauner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox