From: Yin Fengwei <nh26223.lmm@gmail.com>
To: dhowells@redhat.com, gregkh@linuxfoundation.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, miklos@szeredi.hu,
viro@zeniv.linux.org.uk, tglx@linutronix.de,
kstewart@linuxfoundation.org
Subject: [PATCH] fs: fs_parser: avoid NULL param->string to kstrtouint
Date: Fri, 19 Jul 2019 20:43:29 +0800 [thread overview]
Message-ID: <20190719124329.23207-1-nh26223.lmm@gmail.com> (raw)
syzbot reported general protection fault in kstrtouint:
https://lkml.org/lkml/2019/7/18/328
From the log, if the mount option is something like:
fd,XXXXXXXXXXXXXXXXXXXX
The default parameter (which has NULL param->string) will be
passed to vfs_parse_fs_param. Finally, this NULL param->string
is passed to kstrtouint and trigger NULL pointer access.
Reported-by: syzbot+398343b7c1b1b989228d@syzkaller.appspotmail.com
Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
Signed-off-by: Yin Fengwei <nh26223.lmm@gmail.com>
---
fs/fs_parser.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index d13fe7d797c2..578e6880ac67 100644
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc,
case fs_param_is_fd: {
switch (param->type) {
case fs_value_is_string:
+ if (result->has_value) {
+ goto bad_value;
+ }
+
ret = kstrtouint(param->string, 0, &result->uint_32);
break;
case fs_value_is_file:
--
2.17.1
next reply other threads:[~2019-07-19 12:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-19 12:43 Yin Fengwei [this message]
2019-07-19 13:37 ` [PATCH] fs: fs_parser: avoid NULL param->string to kstrtouint Dmitry Vyukov
2019-07-19 23:28 ` YinFengwei
2019-07-19 17:38 ` Greg KH
2019-07-19 23:29 ` YinFengwei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190719124329.23207-1-nh26223.lmm@gmail.com \
--to=nh26223.lmm@gmail.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.