lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 5 Jan 2021 09:04:30 +0900
From:   Daeho Jeong <daeho43@...il.com>
To:     Colin Ian King <colin.king@...onical.com>
Cc:     Daeho Jeong <daehojeong@...gle.com>,
        Jaegeuk Kim <jaegeuk@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [f2fs-dev] f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE

Hi Colin,

Thanks for notifying me. We need to just continue without
set_page_dirty() and f2fs_put_page().

2021년 1월 4일 (월) 오후 11:43, Colin Ian King <colin.king@...onical.com>님이 작성:
>
> Hi,
>
> Static analysis using Coverity has detected a potential null pointer
> dereference after a null check in the following commit:
>
> commit 5fdb322ff2c2b4ad519f490dcb7ebb96c5439af7
> Author: Daeho Jeong <daehojeong@...gle.com>
> Date:   Thu Dec 3 15:56:15 2020 +0900
>
>     f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE
>
> The analysis is as follows:
>
> 4025 static int redirty_blocks(struct inode *inode, pgoff_t page_idx,
> int len)
> 4026 {
> 4027        DEFINE_READAHEAD(ractl, NULL, inode->i_mapping, page_idx);
> 4028        struct address_space *mapping = inode->i_mapping;
> 4029        struct page *page;
> 4030        pgoff_t redirty_idx = page_idx;
> 4031        int i, page_len = 0, ret = 0;
> 4032
> 4033        page_cache_ra_unbounded(&ractl, len, 0);
> 4034
>
>     1. Condition i < len, taking true branch.
>     4. Condition i < len, taking true branch.
>
> 4035        for (i = 0; i < len; i++, page_idx++) {
> 4036                page = read_cache_page(mapping, page_idx, NULL, NULL);
>
>     2. Condition IS_ERR(page), taking false branch.
>     5. Condition IS_ERR(page), taking true branch.
>
> 4037                if (IS_ERR(page)) {
> 4038                        ret = PTR_ERR(page);
>
>     6. Breaking from loop.
>
> 4039                        break;
> 4040                }
> 4041                page_len++;
>
>     3. Jumping back to the beginning of the loop.
>
> 4042        }
> 4043
>
>     7. Condition i < page_len, taking true branch.
>
> 4044        for (i = 0; i < page_len; i++, redirty_idx++) {
> 4045                page = find_lock_page(mapping, redirty_idx);
>
>     8. Condition !page, taking true branch.
>     9. var_compare_op: Comparing page to null implies that page might be
> null.
>
> 4046                if (!page)
> 4047                        ret = -ENOENT;
>
> Dereference after null check (FORWARD_NULL)
>
>    10. var_deref_model: Passing null pointer page to set_page_dirty,
> which dereferences it.
>
> 4048                set_page_dirty(page);
> 4049                f2fs_put_page(page, 1);
> 4050                f2fs_put_page(page, 0);
> 4051        }
> 4052
> 4053        return ret;
> 4054 }
>
> The !page check on line 4046 sets ret appropriately but we have a
> following call to set_page_dirty on a null page that causes the error.
> Not sure how this should be fixed, should the check bail out immediately
> or just avoid the following set_page_dirty anf f2fs_put_page calls?
>
> Colin
>
>
>
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Powered by blists - more mailing lists