Re: [PATCH] 9p: fix multiple NULL-pointer-dereferences

From: Dmitry Vyukov <dvyukov@google.com>
To: Tomas Bortoli <tomasbortoli@gmail.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>,
	Ron Minnich <rminnich@sandia.gov>,
	Latchesar Ionkov <lucho@ionkov.net>,
	Dominique Martinet <asmadeus@codewreck.org>,
	David Miller <davem@davemloft.net>,
	v9fs-developer@lists.sourceforge.net,
	netdev <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller <syzkaller@googlegroups.com>
Subject: Re: [PATCH] 9p: fix multiple NULL-pointer-dereferences
Date: Fri, 27 Jul 2018 12:56:49 +0200	[thread overview]
Message-ID: <CACT4Y+a-LXVZRhWZc7DW47CTU_kjDONykEjKc28wicR0T6V0KA@mail.gmail.com> (raw)
In-Reply-To: <20180727101915.4191-1-tomasbortoli@gmail.com>

On Fri, Jul 27, 2018 at 12:19 PM, Tomas Bortoli <tomasbortoli@gmail.com> wrote:
> Added checks to prevent GPFs from raising.

This supersedes the previous patch, right? If so please add:

Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com

so that the bug will be auto-closed.

> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> ---
>  net/9p/trans_fd.c     | 5 ++++-
>  net/9p/trans_rdma.c   | 3 +++
>  net/9p/trans_virtio.c | 3 +++
>  net/9p/trans_xen.c    | 3 +++
>  4 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> index 964260265b13..e2ef3c782c53 100644
> --- a/net/9p/trans_fd.c
> +++ b/net/9p/trans_fd.c
> @@ -945,7 +945,7 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args)
>         if (err < 0)
>                 return err;
>
> -       if (valid_ipaddr4(addr) < 0)
> +       if (addr == NULL || valid_ipaddr4(addr) < 0)
>                 return -EINVAL;
>
>         csocket = NULL;
> @@ -995,6 +995,9 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
>
>         csocket = NULL;
>
> +       if (addr == NULL)
> +               return -EINVAL;
> +
>         if (strlen(addr) >= UNIX_PATH_MAX) {
>                 pr_err("%s (%d): address too long: %s\n",
>                        __func__, task_pid_nr(current), addr);
> diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
> index 2649b2ebf961..2ab4574183c9 100644
> --- a/net/9p/trans_rdma.c
> +++ b/net/9p/trans_rdma.c
> @@ -645,6 +645,9 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args)
>         struct rdma_conn_param conn_param;
>         struct ib_qp_init_attr qp_attr;
>
> +       if (addr == NULL)
> +               return -EINVAL;
> +
>         /* Parse the transport specific mount options */
>         err = parse_opts(args, &opts);
>         if (err < 0)
> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
> index 06dcd3cc6a29..8ca356eb66bb 100644
> --- a/net/9p/trans_virtio.c
> +++ b/net/9p/trans_virtio.c
> @@ -654,6 +654,9 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args)
>         int ret = -ENOENT;
>         int found = 0;
>
> +       if (devname == NULL)
> +               return -EINVAL;
> +
>         mutex_lock(&virtio_9p_lock);
>         list_for_each_entry(chan, &virtio_chan_list, chan_list) {
>                 if (!strncmp(devname, chan->tag, chan->tag_len) &&
> diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
> index 2e2b8bca54f3..c2d54ac76bfd 100644
> --- a/net/9p/trans_xen.c
> +++ b/net/9p/trans_xen.c
> @@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_client *client, const char *addr, char *args)
>  {
>         struct xen_9pfs_front_priv *priv;
>
> +       if (addr == NULL)
> +               return -EINVAL;
> +
>         read_lock(&xen_9pfs_lock);
>         list_for_each_entry(priv, &xen_9pfs_devs, list) {
>                 if (!strcmp(priv->tag, addr)) {
> --
> 2.11.0
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.