lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <df4b5d21-0983-3ca2-44de-ea9f1616df7f@gmx.com>
Date:   Wed, 24 Jul 2019 10:21:56 +0800
From:   Qu Wenruo <quwenruo.btrfs@....com>
To:     Jia-Ju Bai <baijiaju1990@...il.com>, clm@...com,
        josef@...icpanda.com, dsterba@...e.com
Cc:     linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs: btrfs: Fix a possible null-pointer dereference in
 insert_inline_extent()



On 2019/7/24 上午10:11, Jia-Ju Bai wrote:
> In insert_inline_extent(), there is an if statement on line 181 to check
> whether compressed_pages is NULL:
>     if (compressed_size && compressed_pages)
> 
> When compressed_pages is NULL, compressed_pages is used on line 215:
>     cpage = compressed_pages[i];
> 
> Thus, a possible null-pointer dereference may occur.
> 
> To fix this possible bug, compressed_pages is checked on line 214.

This can only be hit with compressed_size > 0 and compressed_pages != NULL.

It would be better to have an extra ASSERT() to warn developers about
the impossible case.

Thanks,
Qu

> 
> This bug is found by a static analysis tool STCheck written by us.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
> ---
>  fs/btrfs/inode.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index 1af069a9a0c7..19182272fbd8 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -211,7 +211,7 @@ static int insert_inline_extent(struct btrfs_trans_handle *trans,
>  	if (compress_type != BTRFS_COMPRESS_NONE) {
>  		struct page *cpage;
>  		int i = 0;
> -		while (compressed_size > 0) {
> +		while (compressed_size > 0 && compressed_pages) {
>  			cpage = compressed_pages[i];
>  			cur_size = min_t(unsigned long, compressed_size,
>  				       PAGE_SIZE);
> 



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ