| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Mar 2016 18:19:29 +0200
From: Nikolay Borisov <kernel@...p.com>
To: jack@...e.com
Cc: linux-kernel@...r.kernel.org
Subject: [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers
While debugging some issues with quota I realized that
it's possible to pass array with bogus dquot pointers from
__dquot_initialize to dqput. This can happen if the initialisation
of the dquot objects for an inode fail and the control flow is
transferred to the out_put label. In case only the USR or GRP quota
are initialised then the PRJ pointer in the "got" array would remain
uninitialised. This will cause the NULL ptr check in dqput to pass
but actually the pointer is going to be invalid. Eventually this would
cause a GFP.
To fix this just zero out the got array
Signed-off-by: Nikolay Borisov <kernel@...p.com>
---
fs/quota/dquot.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index ef0d64b2a6d9..a0ab58fd85ae 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1408,6 +1408,8 @@ static int __dquot_initialize(struct inode *inode, int type)
dquots = i_dquot(inode);
+ memset(got, 0, 3 * sizeof(struct dquot *));
+
/* First get references to structures we might need. */
for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
struct kqid qid;
--
2.5.0
Powered by blists - more mailing lists