lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240102134751.2flliwe4lfvp3r5a@quack3>
Date: Tue, 2 Jan 2024 14:47:51 +0100
From: Jan Kara <jack@...e.cz>
To: Amir Goldstein <amir73il@...il.com>
Cc: Su Hui <suhui@...china.com>, jack@...e.cz, repnop@...gle.com,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] fanotify: avoid possible NULL dereference

On Thu 10-08-23 20:58:16, Amir Goldstein wrote:
> On Tue, Aug 8, 2023 at 12:19 PM Su Hui <suhui@...china.com> wrote:
> >
> > smatch error:
> > fs/notify/fanotify/fanotify_user.c:462 copy_fid_info_to_user():
> > we previously assumed 'fh' could be null (see line 421)
> >
> > Fixes: afc894c784c8 ("fanotify: Store fanotify handles differently")
> > Signed-off-by: Su Hui <suhui@...china.com>'
> 
> Reviewed-by: Amir Goldstein <amir73il@...il.com>

I'm sorry but this has somehow fallen through the cracks. 

> > diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
> > index f69c451018e3..5a5487ae2460 100644
> > --- a/fs/notify/fanotify/fanotify_user.c
> > +++ b/fs/notify/fanotify/fanotify_user.c
> > @@ -459,12 +459,13 @@ static int copy_fid_info_to_user(__kernel_fsid_t *fsid, struct fanotify_fh *fh,
> >         if (WARN_ON_ONCE(len < sizeof(handle)))
> >                 return -EFAULT;
> >
> > -       handle.handle_type = fh->type;
> >         handle.handle_bytes = fh_len;

Well, if passed 'fh' is NULL, we have problems later in the function
anyway. E.g. in fanotify_fh_buf() a few lines below. So I think this needs
a bit more work that just this small fixup...

								Honza

> >
> >         /* Mangle handle_type for bad file_handle */
> >         if (!fh_len)
> >                 handle.handle_type = FILEID_INVALID;
> > +       else
> > +               handle.handle_type = fh->type;
> >
> >         if (copy_to_user(buf, &handle, sizeof(handle)))
> >                 return -EFAULT;
> > --
> > 2.30.2
> >
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ