[PATCH] fs: fs_parser: avoid NULL param->string to kstrtouint
9 views
Skip to first unread message
Yin Fengwei
Jul 19, 2019, 8:43:57āÆAM7/19/19
to dhow...@redhat.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, mik...@szeredi.hu, vi...@zeniv.linux.org.uk, tg...@linutronix.de, kste...@linuxfoundation.org
syzbot reported general protection fault in kstrtouint:
https://lkml.org/lkml/2019/7/18/328
From the log, if the mount option is something like:
fd,XXXXXXXXXXXXXXXXXXXX
The default parameter (which has NULL param->string) will be
passed to vfs_parse_fs_param. Finally, this NULL param->string
is passed to kstrtouint and trigger NULL pointer access.
Reported-by: syzbot+398343...@syzkaller.appspotmail.com
Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
Signed-off-by: Yin Fengwei <nh262...@gmail.com>
---
fs/fs_parser.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index d13fe7d797c2..578e6880ac67 100644
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc,
case fs_param_is_fd: {
switch (param->type) {
case fs_value_is_string:
+ if (result->has_value) {
+ goto bad_value;
+ }
+
ret = kstrtouint(param->string, 0, &result->uint_32);
break;
case fs_value_is_file:
--
2.17.1
https://lkml.org/lkml/2019/7/18/328
From the log, if the mount option is something like:
fd,XXXXXXXXXXXXXXXXXXXX
The default parameter (which has NULL param->string) will be
passed to vfs_parse_fs_param. Finally, this NULL param->string
is passed to kstrtouint and trigger NULL pointer access.
Reported-by: syzbot+398343...@syzkaller.appspotmail.com
Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
Signed-off-by: Yin Fengwei <nh262...@gmail.com>
---
fs/fs_parser.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index d13fe7d797c2..578e6880ac67 100644
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc,
case fs_param_is_fd: {
switch (param->type) {
case fs_value_is_string:
+ if (result->has_value) {
+ goto bad_value;
+ }
+
ret = kstrtouint(param->string, 0, &result->uint_32);
break;
case fs_value_is_file:
--
2.17.1
Dmitry Vyukov
Jul 19, 2019, 9:37:51āÆAM7/19/19
to Yin Fengwei, David Howells, Greg Kroah-Hartman, linux-fsdevel, LKML, syzkaller-bugs, Miklos Szeredi, Al Viro, Thomas Gleixner, Kate Stewart
On Fri, Jul 19, 2019 at 2:44 PM Yin Fengwei <nh262...@gmail.com> wrote:
>
> syzbot reported general protection fault in kstrtouint:
> https://lkml.org/lkml/2019/7/18/328
>
> From the log, if the mount option is something like:
> fd,XXXXXXXXXXXXXXXXXXXX
>
> The default parameter (which has NULL param->string) will be
> passed to vfs_parse_fs_param. Finally, this NULL param->string
> is passed to kstrtouint and trigger NULL pointer access.
>
> Reported-by: syzbot+398343...@syzkaller.appspotmail.com
> Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
>
> Signed-off-by: Yin Fengwei <nh262...@gmail.com>
> ---
> fs/fs_parser.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> index d13fe7d797c2..578e6880ac67 100644
> --- a/fs/fs_parser.c
> +++ b/fs/fs_parser.c
> @@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc,
> case fs_param_is_fd: {
> switch (param->type) {
> case fs_value_is_string:
> + if (result->has_value) {
!result->has_value ?
>
> syzbot reported general protection fault in kstrtouint:
> https://lkml.org/lkml/2019/7/18/328
>
> From the log, if the mount option is something like:
> fd,XXXXXXXXXXXXXXXXXXXX
>
> The default parameter (which has NULL param->string) will be
> passed to vfs_parse_fs_param. Finally, this NULL param->string
> is passed to kstrtouint and trigger NULL pointer access.
>
> Reported-by: syzbot+398343...@syzkaller.appspotmail.com
> Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
>
> Signed-off-by: Yin Fengwei <nh262...@gmail.com>
> ---
> fs/fs_parser.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> index d13fe7d797c2..578e6880ac67 100644
> --- a/fs/fs_parser.c
> +++ b/fs/fs_parser.c
> @@ -210,6 +210,10 @@ int fs_parse(struct fs_context *fc,
> case fs_param_is_fd: {
> switch (param->type) {
> case fs_value_is_string:
> + if (result->has_value) {
> + goto bad_value;
> + }
> +
> ret = kstrtouint(param->string, 0, &result->uint_32);
> break;
> case fs_value_is_file:
> --
> 2.17.1
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20190719124329.23207-1-nh26223.lmm%40gmail.com.
Greg KH
Jul 19, 2019, 1:38:18āÆPM7/19/19
to Yin Fengwei, dhow...@redhat.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, mik...@szeredi.hu, vi...@zeniv.linux.org.uk, tg...@linutronix.de, kste...@linuxfoundation.org
YinFengwei
Jul 19, 2019, 7:28:33āÆPM7/19/19
to Dmitry Vyukov, Yin Fengwei, David Howells, Greg Kroah-Hartman, linux-fsdevel, LKML, syzkaller-bugs, Miklos Szeredi, Al Viro, Thomas Gleixner, Kate Stewart
Regards
Yin, Fengwei
YinFengwei
Jul 19, 2019, 7:29:27āÆPM7/19/19
to Greg KH, Yin Fengwei, dhow...@redhat.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, mik...@szeredi.hu, vi...@zeniv.linux.org.uk, tg...@linutronix.de, kste...@linuxfoundation.org
Regards
Yin, Fengwei
Yin Fengwei
Jul 19, 2019, 7:30:16āÆPM7/19/19
to dhow...@redhat.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, mik...@szeredi.hu, vi...@zeniv.linux.org.uk, tg...@linutronix.de, kste...@linuxfoundation.org
syzbot reported general protection fault in kstrtouint:
https://lkml.org/lkml/2019/7/18/328
From the log, if the mount option is something like:
fd,XXXXXXXXXXXXXXXXXXXX
The default parameter (which has NULL param->string) will be
passed to vfs_parse_fs_param. Finally, this NULL param->string
is passed to kstrtouint and trigger NULL pointer access.
Reported-by: syzbot+398343...@syzkaller.appspotmail.com
Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
Signed-off-by: Yin Fengwei <nh262...@gmail.com>
---
ChangeLog:
https://lkml.org/lkml/2019/7/18/328
From the log, if the mount option is something like:
fd,XXXXXXXXXXXXXXXXXXXX
The default parameter (which has NULL param->string) will be
passed to vfs_parse_fs_param. Finally, this NULL param->string
is passed to kstrtouint and trigger NULL pointer access.
Reported-by: syzbot+398343...@syzkaller.appspotmail.com
Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse")
Signed-off-by: Yin Fengwei <nh262...@gmail.com>
---
v1 -> v2:
- Fix typo in v1
- Remove braces {} from single statement blocks
fs/fs_parser.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index 83b66c9e9a24..7498a44f18c0 100644
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc,
case fs_param_is_fd: {
switch (param->type) {
case fs_value_is_string:
+ if (!result->has_value)
switch (param->type) {
case fs_value_is_string:
+ goto bad_value;
+
Eric Biggers
Aug 15, 2019, 10:46:57āÆPM8/15/19
to vi...@zeniv.linux.org.uk, dhow...@redhat.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, mik...@szeredi.hu, tg...@linutronix.de, Yin Fengwei, kste...@linuxfoundation.org
Eric Biggers
Aug 22, 2019, 12:22:52āÆAM8/22/19
to vi...@zeniv.linux.org.uk, dhow...@redhat.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
[trimmed Cc list a bit]
Ping. Al, when are you going to apply this?
- Eric
- Eric
Al Viro
Aug 22, 2019, 1:33:19āÆAM8/22/19
to dhow...@redhat.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Wed, Aug 21, 2019 at 09:22:49PM -0700, Eric Biggers wrote:
> > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> > > index 83b66c9e9a24..7498a44f18c0 100644
> > > --- a/fs/fs_parser.c
> > > +++ b/fs/fs_parser.c
> > > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc,
> > > case fs_param_is_fd: {
> > > switch (param->type) {
> > > case fs_value_is_string:
> > > + if (!result->has_value)
> > > + goto bad_value;
> > > +
> > > ret = kstrtouint(param->string, 0, &result->uint_32);
> > > break;
> > > case fs_value_is_file:
> > > --
> > > 2.17.1
> >
> > Reviewed-by: Eric Biggers <ebig...@kernel.org>
> >
> > Al, can you please apply this patch?
> >
> > - Eric
>
> Ping. Al, when are you going to apply this?
Sits in the local queue. Sorry, got seriously sidetracked into
> > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> > > index 83b66c9e9a24..7498a44f18c0 100644
> > > --- a/fs/fs_parser.c
> > > +++ b/fs/fs_parser.c
> > > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc,
> > > case fs_param_is_fd: {
> > > switch (param->type) {
> > > case fs_value_is_string:
> > > + if (!result->has_value)
> > > + goto bad_value;
> > > +
> > > ret = kstrtouint(param->string, 0, &result->uint_32);
> > > break;
> > > case fs_value_is_file:
> > > --
> > > 2.17.1
> >
> > Reviewed-by: Eric Biggers <ebig...@kernel.org>
> >
> > Al, can you please apply this patch?
> >
> > - Eric
>
> Ping. Al, when are you going to apply this?
configfs mess lately, will update for-next tomorrow and push
it out.
Reply all
Reply to author
Forward
0 new messages