| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221118114137.128088-1-arefev@swemel.ru>
Date: Fri, 18 Nov 2022 14:41:37 +0300
From: Denis Arefev <arefev@...mel.ru>
To: Alexander Viro <viro@...iv.linux.org.uk>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org, trufanov@...mel.ru, vfh@...mel.ru
Subject: [PATCH v2] namespace: Added pointer check in copy_mnt_ns()
Return value of a function 'next_mnt' is dereferenced at
namespace.c:3377 without checking for null,
but it is usually checked for this function
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Arefev <arefev@...mel.ru>
---
fs/namespace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index cebaa3e81794..06472a110257 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3348,9 +3348,9 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
}
p = next_mnt(p, old);
q = next_mnt(q, new);
- if (!q)
+ if (!q || !p)
break;
- while (p->mnt.mnt_root != q->mnt.mnt_root)
+ while (p && (p->mnt.mnt_root != q->mnt.mnt_root))
p = next_mnt(p, old);
}
namespace_unlock();
--
2.25.1
Powered by blists - more mailing lists