From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-co1nam03on0119.outbound.protection.outlook.com ([104.47.40.119]:64870 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S966823AbeCSQMx (ORCPT ); Mon, 19 Mar 2018 12:12:53 -0400 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Dan Carpenter , Ilya Dryomov , Sasha Levin Subject: [PATCH AUTOSEL for 3.18 041/102] libceph: NULL deref on crush_decode() error path Date: Mon, 19 Mar 2018 16:12:23 +0000 Message-ID: <20180319161117.17833-41-alexander.levin@microsoft.com> References: <20180319161117.17833-1-alexander.levin@microsoft.com> In-Reply-To: <20180319161117.17833-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Dan Carpenter [ Upstream commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 ] If there is not enough space then ceph_decode_32_safe() does a goto bad. We need to return an error code in that situation. The current code returns ERR_PTR(0) which is NULL. The callers are not expecting that and it results in a NULL dereference. Fixes: f24e9980eb86 ("ceph: OSD client") Signed-off-by: Dan Carpenter Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin --- net/ceph/osdmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index 8bb2e0c1cb50..c2f815d44914 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -270,6 +270,7 @@ static struct crush_map *crush_decode(void *pbyval, voi= d *end) u32 yes; struct crush_rule *r; =20 + err =3D -EINVAL; ceph_decode_32_safe(p, end, yes, bad); if (!yes) { dout("crush_decode NO rule %d off %x %p to %p\n", --=20 2.14.1