lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20201001090547.431840-1-anmol.karan123@gmail.com>
Date:   Thu,  1 Oct 2020 14:35:47 +0530
From:   Anmol Karn <anmol.karan123@...il.com>
To:     jack@...e.cz, jeffm@...e.com
Cc:     linux-kernel@...r.kernel.org, reiserfs-devel@...r.kernel.org,
        linux-kernel-mentees@...ts.linuxfoundation.org,
        syzkaller-bugs@...glegroups.com, anmol.karan123@...il.com,
        syzbot+9b33c9b118d77ff59b6f@...kaller.appspotmail.com
Subject: [Linux-kernel-mentees] [PATCH] fs: reiserfs: xattr: Fix null pointer derefernce in open_xa_root()

d_really_is_negative() checks for the dentry->d_inode whether it's NULL or not, 
but in open_xa_root(), when it checks 'privroot->d_inode', it doesn't check whether
privroot is NULL or not, this leads to a null pointer dereference while calling it 
from open_xa_dir() while initializing xaroot.

- fs/reiserfs/xattr.c
The bug seems to get triggered at this line:
	
if (d_really_is_negative(privroot))
		return ERR_PTR(-EOPNOTSUPP);

Fix it by adding a NULL check for privroot. 

Reported-and-tested-by: syzbot+9b33c9b118d77ff59b6f@...kaller.appspotmail.com 
Link: https://syzkaller.appspot.com/bug?extid=9b33c9b118d77ff59b6f 
Signed-off-by: Anmol Karn <anmol.karan123@...il.com>
---
 fs/reiserfs/xattr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c
index 28b241cd6987..a75480d0ee7e 100644
--- a/fs/reiserfs/xattr.c
+++ b/fs/reiserfs/xattr.c
@@ -121,8 +121,9 @@ static struct dentry *open_xa_root(struct super_block *sb, int flags)
 	struct dentry *privroot = REISERFS_SB(sb)->priv_root;
 	struct dentry *xaroot;
 
-	if (d_really_is_negative(privroot))
+	if (!privroot || d_really_is_negative(privroot)) {
 		return ERR_PTR(-EOPNOTSUPP);
+	}
 
 	inode_lock_nested(d_inode(privroot), I_MUTEX_XATTR);
 
-- 
2.28.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ