| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210805122015.129824-1-islituo@gmail.com>
Date: Thu, 5 Aug 2021 05:20:15 -0700
From: Tuo Li <islituo@...il.com>
To: jlayton@...nel.org, idryomov@...il.com
Cc: ceph-devel@...r.kernel.org, linux-kernel@...r.kernel.org,
baijiaju1990@...il.com, Tuo Li <islituo@...il.com>,
TOTE Robot <oslab@...nghua.edu.cn>
Subject: [PATCH] ceph: fix possible null-pointer dereference in ceph_mdsmap_decode()
kcalloc() is called to allocate memory for m->m_info, and if it fails,
ceph_mdsmap_destroy() behind the label out_err will be called:
ceph_mdsmap_destroy(m);
In ceph_mdsmap_destroy(), m->m_info is dereferenced through:
kfree(m->m_info[i].export_targets);
To fix this possible null-pointer dereference, if memory allocation
for m->m_info fails, free m and return -ENOMEM.
Reported-by: TOTE Robot <oslab@...nghua.edu.cn>
Signed-off-by: Tuo Li <islituo@...il.com>
---
fs/ceph/mdsmap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ceph/mdsmap.c b/fs/ceph/mdsmap.c
index abd9af7727ad..7d73e4b64b12 100644
--- a/fs/ceph/mdsmap.c
+++ b/fs/ceph/mdsmap.c
@@ -166,8 +166,10 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end, bool msgr2)
m->possible_max_rank = max(m->m_num_active_mds, m->m_max_mds);
m->m_info = kcalloc(m->possible_max_rank, sizeof(*m->m_info), GFP_NOFS);
- if (!m->m_info)
- goto nomem;
+ if (!m->m_info) {
+ kfree(m);
+ return ERR_PTR(-ENOMEM);
+ }
/* pick out active nodes from mds_info (state > 0) */
for (i = 0; i < n; i++) {
--
2.25.1
Powered by blists - more mailing lists