| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cd7c0bb4-53d2-8a67-0719-c26d043a31fc@redhat.com>
Date: Wed, 24 Jul 2019 10:04:55 +0100
From: Steven Whitehouse <swhiteho@...hat.com>
To: Jia-Ju Bai <baijiaju1990@...il.com>, rpeterso@...hat.com,
agruenba@...hat.com
Cc: cluster-devel@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [Cluster-devel] [BUG] fs: gfs2: possible null-pointer
dereferences in gfs2_rgrp_bh_get()
Hi,
On 24/07/2019 09:50, Jia-Ju Bai wrote:
> In gfs2_rgrp_bh_get, there is an if statement on line 1191 to check
> whether "rgd->rd_bits[0].bi_bh" is NULL.
That is how we detect whether the rgrp has already been read in, so the
function is skipped in the case that we've already read in the rgrp.
> When "rgd->rd_bits[0].bi_bh" is NULL, it is used on line 1216:
> gfs2_rgrp_in(rgd, (rgd->rd_bits[0].bi_bh)->b_data);
No it isn't. See line 1196 where bi_bh is set, and where we also bail
out (line 1198) in case it has not been set.
> and on line 1225:
> gfs2_rgrp_ondisk2lvb(..., rgd->rd_bits[0].bi_bh->b_data);
> and on line 1228:
> if (!gfs2_rgrp_lvb_valid(rgd))
>
> Note that in gfs2_rgrp_lvb_valid(rgd), there is a statement on line 1114:
> struct gfs2_rgrp *str = (struct gfs2_rgrp
> *)rgd->rd_bits[0].bi_bh->b_data;
>
> Thus, possible null-pointer dereferences may occur.
>
> These bugs are found by a static analysis tool STCheck written by us.
> I do not know how to correctly fix these bugs, so I only report bugs.
>
>
> Best wishes,
> Jia-Ju Bai
>
So I'm not seeing how there can be a NULL deref in those later lines. I
think this is another false positive,
Steve.
Powered by blists - more mailing lists