| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1471967731-3465-1-git-send-email-aryabinin@virtuozzo.com>
Date: Tue, 23 Aug 2016 18:55:31 +0300
From: Andrey Ryabinin <aryabinin@...tuozzo.com>
To: Jens Axboe <axboe@...com>, Alexander Viro <viro@...iv.linux.org.uk>
CC: <linux-fsdevel@...r.kernel.org>,
Maxim Patlasov <mpatlasov@...tuozzo.com>,
Christoph Hellwig <hch@....de>, <linux-kernel@...r.kernel.org>,
"Andrey Ryabinin" <aryabinin@...tuozzo.com>
Subject: [PATCH] fs/block_dev: fix potential NULL ptr deref in freeze_bdev()
Calling freeze_bdev() twice on the same block device without mounted
filesystem get_super() will return NULL, which will lead to NULL-ptr
dereference later in drop_super().
Check get_super() result to fix that.
Note, that this is a purely theoretical issue. We have only 3
freeze_bdev() callers. 2 of them are in filesystem code and used on a
device with mounted fs. The third one in lock_fs() has protection in
upper-layer code against freezing block device the second time without
thawing it first.
Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
---
fs/block_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index c3cdde8..c18b083 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -249,7 +249,8 @@ struct super_block *freeze_bdev(struct block_device *bdev)
* thaw_bdev drops it.
*/
sb = get_super(bdev);
- drop_super(sb);
+ if (sb)
+ drop_super(sb);
mutex_unlock(&bdev->bd_fsfreeze_mutex);
return sb;
}
--
2.7.3
Powered by blists - more mailing lists