lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1456935569-20053-1-git-send-email-kernel@kyup.com>
Date:	Wed,  2 Mar 2016 18:19:29 +0200
From:	Nikolay Borisov <kernel@...p.com>
To:	jack@...e.com
Cc:	linux-kernel@...r.kernel.org
Subject: [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers

While debugging some issues with quota I realized that
it's possible to pass array with bogus dquot pointers from
__dquot_initialize to dqput. This can happen if the initialisation
of the dquot objects for an inode fail and the control flow is
transferred to the out_put label. In case only the USR or GRP quota
are initialised then the PRJ pointer in the "got" array would remain
uninitialised. This will cause the NULL ptr check in dqput to pass
but actually the pointer is going to be invalid. Eventually this would
cause a GFP.

To fix this just zero out the got array

Signed-off-by: Nikolay Borisov <kernel@...p.com>
---
 fs/quota/dquot.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index ef0d64b2a6d9..a0ab58fd85ae 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1408,6 +1408,8 @@ static int __dquot_initialize(struct inode *inode, int type)
 
 	dquots = i_dquot(inode);
 
+	memset(got, 0, 3 * sizeof(struct dquot *));
+
 	/* First get references to structures we might need. */
 	for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
 		struct kqid qid;
-- 
2.5.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ