lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri,  6 Aug 2021 11:58:20 +0200
From:   Lukas Czerner <lczerner@...hat.com>
To:     tytso@....edu
Cc:     linux-ext4@...r.kernel.org
Subject: [PATCH 7/7] mkquota: Fix potental NULL pointer dereference

get_dq() function can fail when the memory allocation fails and so we
could end up dereferencing NULL pointer. Fix it.

Also, we should really return -ENOMEM instead of -1, or even 0 from
various functions in quotaio_tree.c when memory allocation fails.
Fix it as well.

Signed-off-by: Lukas Czerner <lczerner@...hat.com>
---
 lib/support/mkquota.c      | 8 ++++++--
 lib/support/quotaio_tree.c | 8 ++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
index dce077e6..420ba503 100644
--- a/lib/support/mkquota.c
+++ b/lib/support/mkquota.c
@@ -433,7 +433,8 @@ void quota_data_sub(quota_ctx_t qctx, struct ext2_inode_large *inode,
 		dict = qctx->quota_dict[qtype];
 		if (dict) {
 			dq = get_dq(dict, get_qid(inode, qtype));
-			dq->dq_dqb.dqb_curspace -= space;
+			if (dq)
+				dq->dq_dqb.dqb_curspace -= space;
 		}
 	}
 }
@@ -460,7 +461,8 @@ void quota_data_inodes(quota_ctx_t qctx, struct ext2_inode_large *inode,
 		dict = qctx->quota_dict[qtype];
 		if (dict) {
 			dq = get_dq(dict, get_qid(inode, qtype));
-			dq->dq_dqb.dqb_curinodes += adjust;
+			if (dq)
+				dq->dq_dqb.dqb_curinodes += adjust;
 		}
 	}
 }
@@ -533,6 +535,8 @@ static int scan_dquots_callback(struct dquot *dquot, void *cb_data)
 	struct dquot *dq;
 
 	dq = get_dq(quota_dict, dquot->dq_id);
+	if (!dq)
+		return -ENOMEM;
 	dq->dq_id = dquot->dq_id;
 	dq->dq_flags |= DQF_SEEN;
 
diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
index 6cc4fb5b..65e68792 100644
--- a/lib/support/quotaio_tree.c
+++ b/lib/support/quotaio_tree.c
@@ -569,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
 	int entries, i;
 
 	if (!buf)
-		return -1;
+		return -ENOMEM;
 
 	set_bit(bitmap, blk);
 	read_blk(dquot->dq_h, blk, buf);
@@ -601,7 +601,7 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
 	__le32 *ref = (__le32 *) buf;
 
 	if (!buf)
-		return 0;
+		return -ENOMEM;
 
 	read_blk(dquot->dq_h, blk, buf);
 	if (depth == QT_TREEDEPTH - 1) {
@@ -667,12 +667,12 @@ int qtree_scan_dquots(struct quota_handle *h,
 	struct dquot *dquot = get_empty_dquot();
 
 	if (!dquot)
-		return -1;
+		return -ENOMEM;
 
 	dquot->dq_h = h;
 	if (ext2fs_get_memzero((info->dqi_blocks + 7) >> 3, &bitmap)) {
 		ext2fs_free_mem(&dquot);
-		return -1;
+		return -ENOMEM;
 	}
 	ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
 	if (ret < 0)
-- 
2.31.1

Powered by blists - more mailing lists