* Possible null pointer dereference in __rh_alloc()
@ 2020-05-03 7:02 Dongyang Zhan
2020-05-03 13:38 ` Alasdair G Kergon
0 siblings, 1 reply; 2+ messages in thread
From: Dongyang Zhan @ 2020-05-03 7:02 UTC (permalink / raw)
To: Alasdair Kergon, M: Mike Snitzer, dm-devel
[-- Attachment #1.1: Type: text/plain, Size: 723 bytes --]
Hi,
I am a security researcher, my name is Dongyang Zhan. I found a
potential bug in
/drivers/md/dm-region-hash.c in Linux 4.10.17. I hope you can help me
to confirm it.
__rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory
allocation failures of nreg.
Source code:
struct dm_region *reg, *nreg;
nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
if (unlikely(!nreg))
nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);
nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
DM_RH_CLEAN : DM_RH_NOSYNC;
If the statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO |
__GFP_NOFAIL);) fails,
dereferencing this pointer (nreg->state) will cause null pointer dereference.
[-- Attachment #1.2: Type: text/html, Size: 2707 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Possible null pointer dereference in __rh_alloc()
2020-05-03 7:02 Possible null pointer dereference in __rh_alloc() Dongyang Zhan
@ 2020-05-03 13:38 ` Alasdair G Kergon
0 siblings, 0 replies; 2+ messages in thread
From: Alasdair G Kergon @ 2020-05-03 13:38 UTC (permalink / raw)
To: Dongyang Zhan; +Cc: dm-devel, M: Mike Snitzer, Alasdair Kergon
On Sun, May 03, 2020 at 03:02:21PM +0800, Dongyang Zhan wrote:
> I am a security researcher, my name is Dongyang Zhan. I found a potential bug in
> /drivers/md/dm-region-hash.c in Linux 4.10.17. I hope you can help me to confirm it.
> __rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory allocation failures of nreg.
> Source code:
> struct dm_region *reg, *nreg;
> nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
> if (unlikely(!nreg))
> nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);
> nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
> DM_RH_CLEAN : DM_RH_NOSYNC;
> If the statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);) fails,
> dereferencing this pointer (nreg->state) will cause null pointer dereference.
* %__GFP_NOFAIL: The VM implementation _must_ retry infinitely: the caller
* cannot handle allocation failures. The allocation could block
* indefinitely but will never return with failure. Testing for
* failure is pointless.
Alasdair
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-03 13:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-03 7:02 Possible null pointer dereference in __rh_alloc() Dongyang Zhan
2020-05-03 13:38 ` Alasdair G Kergon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.