[PATCH] Null check to prevent null-ptr-deref bug

[PATCH] Null check to prevent null-ptr-deref bug

[Prince Kumar Maurya]

sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug.

Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
---
 fs/sysv/itree.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index b22764fe669c..3a6b66e719fd 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
 		 */
 		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
 		bh = sb_getblk(inode->i_sb, parent);
+		if (!bh)
+			break;
 		lock_buffer(bh);
 		memset(bh->b_data, 0, blocksize);
 		branch[n].bh = bh;
-- 
2.40.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] Null check to prevent null-ptr-deref bug

[Greg KH]

On Sat, May 27, 2023 at 06:25:16PM -0700, Prince Kumar Maurya wrote:
> sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug.

Please wrap your changelog comments at 72 columns.

> Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> ---
>  fs/sysv/itree.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
> index b22764fe669c..3a6b66e719fd 100644
> --- a/fs/sysv/itree.c
> +++ b/fs/sysv/itree.c
> @@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
>  		 */
>  		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
>  		bh = sb_getblk(inode->i_sb, parent);
> +		if (!bh)
> +			break;

How have you tested this?  Have you reproduced this failure and has this
patch resolved the issue?  This function should never really fail in
normal operation, so it's odd that you were able to hit this somehow.

thanks,

greg k-h
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

[PATCH] Null check to prevent null-ptr-deref bug

[Prince Kumar Maurya]

sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug.

Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
---
 fs/sysv/itree.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index b22764fe669c..3a6b66e719fd 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
 		 */
 		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
 		bh = sb_getblk(inode->i_sb, parent);
+		if (!bh)
+			break;
 		lock_buffer(bh);
 		memset(bh->b_data, 0, blocksize);
 		branch[n].bh = bh;
-- 
2.40.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] Null check to prevent null-ptr-deref bug

[Greg KH]

On Sun, May 28, 2023 at 09:44:00AM -0700, Prince Kumar Maurya wrote:
> sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug.
> 
> Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> ---
>  fs/sysv/itree.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
> index b22764fe669c..3a6b66e719fd 100644
> --- a/fs/sysv/itree.c
> +++ b/fs/sysv/itree.c
> @@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
>  		 */
>  		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
>  		bh = sb_getblk(inode->i_sb, parent);
> +		if (!bh)
> +			break;
>  		lock_buffer(bh);
>  		memset(bh->b_data, 0, blocksize);
>  		branch[n].bh = bh;
> -- 
> 2.40.1

Why resend this when I already responded:
	https://lore.kernel.org/r/2023052803-pucker-depress-5452@gregkh

confused,

greg k-h
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

[PATCH] Null check to prevent null-ptr-deref bug

[Prince Kumar Maurya]

sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
that leads to the null-ptr-deref bug.

Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
---
Change since v1: update the commit message.
The bug was reproducible using the reproducer code and assets found in
bug report:https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc
I used qemu to reproduce the bug and after the code fix I rebooted the 
qemu with updated bzImage containing the fix.

qemu-system-x86_64 -m 4G -nographic -drive \
file=./asset/disk-4d6d4c7f.raw,format=raw \
-enable-kvm -net nic -net user,hostfwd=tcp::2222-:22

 fs/sysv/itree.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index b22764fe669c..3a6b66e719fd 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
 		 */
 		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
 		bh = sb_getblk(inode->i_sb, parent);
+		if (!bh)
+			break;
 		lock_buffer(bh);
 		memset(bh->b_data, 0, blocksize);
 		branch[n].bh = bh;
-- 
2.40.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] Null check to prevent null-ptr-deref bug

[Greg KH]

On Sun, May 28, 2023 at 10:35:46AM -0700, Prince Kumar Maurya wrote:
> sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
> that leads to the null-ptr-deref bug.
> 
> Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> ---
> Change since v1: update the commit message.

Your subject: line needs to also be fixed up.  Please see the kernel
documentation for how to do this properly.

thanks

greg k-h
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH] Null check to prevent null-ptr-deref bug

[Greg KH]

On Sun, May 28, 2023 at 10:35:46AM -0700, Prince Kumar Maurya wrote:
> sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
> that leads to the null-ptr-deref bug.
> 
> Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> ---
> Change since v1: update the commit message.
> The bug was reproducible using the reproducer code and assets found in
> bug report:https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc

Also, did you forget to properly credit the syzbot tool like it asks you
to?

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

[PATCH v3] fs/sysv: Null check to prevent null-ptr-deref bug

[Prince Kumar Maurya]

sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
that leads to the null-ptr-deref bug.

Reported-by: syzbot+aad58150cbc64ba41bdc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc 
Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
---
Change since v2: Updated subject and added Reported-by and closes tags.

 fs/sysv/itree.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index b22764fe669c..3a6b66e719fd 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
 		 */
 		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
 		bh = sb_getblk(inode->i_sb, parent);
+		if (!bh)
+			break;
 		lock_buffer(bh);
 		memset(bh->b_data, 0, blocksize);
 		branch[n].bh = bh;
-- 
2.40.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH v3] fs/sysv: Null check to prevent null-ptr-deref bug

[Christian Brauner]

On Sun, May 28, 2023 at 11:44:22AM -0700, Prince Kumar Maurya wrote:
> sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
> that leads to the null-ptr-deref bug.
> 
> Reported-by: syzbot+aad58150cbc64ba41bdc@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc 
> Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> ---
> Change since v2: Updated subject and added Reported-by and closes tags.
> 
>  fs/sysv/itree.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
> index b22764fe669c..3a6b66e719fd 100644
> --- a/fs/sysv/itree.c
> +++ b/fs/sysv/itree.c
> @@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
>  		 */
>  		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
>  		bh = sb_getblk(inode->i_sb, parent);
> +		if (!bh)
> +			break;

When you break here you'll hit:

/* Allocation failed, free what we already allocated */
for (i = 1; i < n; i++)
        bforget(branch[i].bh);
for (i = 0; i < n; i++)
        sysv_free_block(inode->i_sb, branch[i].key);

below. The cleanup paths were coded in the assumption that sb_getblk()
can't fail. So bforget() can assume that branch[i].bh has been allocated
and set up. So that bforget(branch[i].bh) is your next pending NULL
deref afaict.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH v3] fs/sysv: Null check to prevent null-ptr-deref bug

[Prince Kumar Maurya]

On Tue, May 30, 2023 at 1:26 AM Christian Brauner <brauner@kernel.org> wrote:
>
> On Sun, May 28, 2023 at 11:44:22AM -0700, Prince Kumar Maurya wrote:
> > sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
> > that leads to the null-ptr-deref bug.
> >
> > Reported-by: syzbot+aad58150cbc64ba41bdc@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc
> > Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> > ---
> > Change since v2: Updated subject and added Reported-by and closes tags.
> >
> >  fs/sysv/itree.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
> > index b22764fe669c..3a6b66e719fd 100644
> > --- a/fs/sysv/itree.c
> > +++ b/fs/sysv/itree.c
> > @@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
> >                */
> >               parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
> >               bh = sb_getblk(inode->i_sb, parent);
> > +             if (!bh)
> > +                     break;
>
> When you break here you'll hit:
>
> /* Allocation failed, free what we already allocated */
> for (i = 1; i < n; i++)
>         bforget(branch[i].bh);
> for (i = 0; i < n; i++)
>         sysv_free_block(inode->i_sb, branch[i].key);
>
> below. The cleanup paths were coded in the assumption that sb_getblk()
> can't fail. So bforget() can assume that branch[i].bh has been allocated
> and set up. So that bforget(branch[i].bh) is your next pending NULL
> deref afaict.


I doubt that would happen. There is a break above as well, before we do
sb_getblk().

/* Allocate the next block */
branch[n].key = sysv_new_block(inode->i_sb);
if (!branch[n].key)
   break;

The clean up code path runs till i is less than n not equal to n which
would have caused the problem.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH v3] fs/sysv: Null check to prevent null-ptr-deref bug

[Christian Brauner]

On Tue, May 30, 2023 at 07:59:16AM -0700, Prince Kumar Maurya wrote:
> On Tue, May 30, 2023 at 1:26 AM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Sun, May 28, 2023 at 11:44:22AM -0700, Prince Kumar Maurya wrote:
> > > sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
> > > that leads to the null-ptr-deref bug.
> > >
> > > Reported-by: syzbot+aad58150cbc64ba41bdc@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc
> > > Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
> > > ---
> > > Change since v2: Updated subject and added Reported-by and closes tags.
> > >
> > >  fs/sysv/itree.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > >
> > > diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
> > > index b22764fe669c..3a6b66e719fd 100644
> > > --- a/fs/sysv/itree.c
> > > +++ b/fs/sysv/itree.c
> > > @@ -145,6 +145,8 @@ static int alloc_branch(struct inode *inode,
> > >                */
> > >               parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
> > >               bh = sb_getblk(inode->i_sb, parent);
> > > +             if (!bh)
> > > +                     break;
> >
> > When you break here you'll hit:
> >
> > /* Allocation failed, free what we already allocated */
> > for (i = 1; i < n; i++)
> >         bforget(branch[i].bh);
> > for (i = 0; i < n; i++)
> >         sysv_free_block(inode->i_sb, branch[i].key);
> >
> > below. The cleanup paths were coded in the assumption that sb_getblk()
> > can't fail. So bforget() can assume that branch[i].bh has been allocated
> > and set up. So that bforget(branch[i].bh) is your next pending NULL
> > deref afaict.
> 
> 
> I doubt that would happen. There is a break above as well, before we do
> sb_getblk().
> 
> /* Allocate the next block */
> branch[n].key = sysv_new_block(inode->i_sb);
> if (!branch[n].key)
>    break;
> 
> The clean up code path runs till i is less than n not equal to n which
> would have caused the problem.

But then aren't you leaking branch[n].key if you break after failed sb_getblk()
after sysv_new_block() succeeded?
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

[PATCH v4] fs/sysv: Null check to prevent null-ptr-deref bug

[Prince Kumar Maurya]

sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
that leads to the null-ptr-deref bug.

Reported-by: syzbot+aad58150cbc64ba41bdc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc 
Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
---
Change since v3: Added cleanup code for the branch[n].key on 
failure code path.

 fs/sysv/itree.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index b22764fe669c..58d7f43a1371 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -145,6 +145,10 @@ static int alloc_branch(struct inode *inode,
 		 */
 		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
 		bh = sb_getblk(inode->i_sb, parent);
+		if (!bh) {
+			sysv_free_block(inode->i_sb, branch[n].key);
+			break;
+		}
 		lock_buffer(bh);
 		memset(bh->b_data, 0, blocksize);
 		branch[n].bh = bh;
-- 
2.40.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

Re: [PATCH v4] fs/sysv: Null check to prevent null-ptr-deref bug

[Christian Brauner]

On Sun, 28 May 2023 11:44:22 -0700, Prince Kumar Maurya wrote:
> sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
> that leads to the null-ptr-deref bug.
> 
> 

Applied to the vfs.misc branch of the vfs/vfs.git tree.
Patches in the vfs.misc branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.misc

[1/1] fs/sysv: Null check to prevent null-ptr-deref bug
      https://git.kernel.org/vfs/vfs/c/47f9da4bc5e6
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees