lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAL3q7H5vV1MLODuCHr1p4Dx6tMGOMeqxDnTGMsDz290kw8Vsew@mail.gmail.com>
Date: Thu, 26 Sep 2024 09:55:34 +0100
From: Filipe Manana <fdmanana@...nel.org>
To: Riyan Dhiman <riyandhiman14@...il.com>
Cc: clm@...com, josef@...icpanda.com, dsterba@...e.com, 
	linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] btrfs: add missing NULL check in btrfs_free_tree_block()

On Thu, Sep 26, 2024 at 8:50 AM Riyan Dhiman <riyandhiman14@...il.com> wrote:
>
> In commit 3ba2d3648f9dc (btrfs: reflow btrfs_free_tree_block), the block
> group lookup using btrfs_lookup_block_group() was added in btrfs_free_tree_block().
> However, the return value of this function is not checked for a NULL result,
> which can lead to null pointer dereferences if the block group is not found.
>
> This patch adds a check to ensure that if btrfs_lookup_block_group() returns
> NULL, the function will gracefully exit, preventing further operations that
> rely on a valid block group pointer.
>
> Signed-off-by: Riyan Dhiman <riyandhiman14@...il.com>
> ---
> Compile tested only
>
>  fs/btrfs/extent-tree.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
> index a5966324607d..7782d4436ca0 100644
> --- a/fs/btrfs/extent-tree.c
> +++ b/fs/btrfs/extent-tree.c
> @@ -3454,6 +3454,8 @@ int btrfs_free_tree_block(struct btrfs_trans_handle *trans,
>         }
>
>         bg = btrfs_lookup_block_group(fs_info, buf->start);
> +       if (!bg)
> +               goto out;

We are supposed to be able to always find the block group to which the
extent buffer belongs to.
If we don't, it means we have a serious corruption or bug.

If that happens we want it to be noisy so that it gets reported and we
look at it.
Letting a NULL pointer dereference happen is one way of getting our attention.

O more gentle and explicit way would be to have a:    ASSERT(bg != NULL);

But certainly not ignoring the problem.

Thanks.

>
>         if (btrfs_header_flag(buf, BTRFS_HEADER_FLAG_WRITTEN)) {
>                 pin_down_extent(trans, bg, buf->start, buf->len, 1);
> --
> 2.46.1
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ