lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZxZcR1v8OnYH/l+/@dread.disaster.area>
Date: Tue, 22 Oct 2024 00:51:03 +1100
From: Dave Chinner <david@...morbit.com>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+4125a3c514e3436a02e6@...kaller.appspotmail.com, cem@...nel.org,
	chandan.babu@...cle.com, djwong@...nel.org,
	linux-kernel@...r.kernel.org, linux-xfs@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] xfs: If unable to pick perag an error needs to be
 returned

On Sun, Oct 20, 2024 at 01:30:05PM +0800, Edward Adam Davis wrote:
> Syzbot reported a null-ptr-deref Write in xfs_filestream_select_ag.
> When pag is not found, xfs_filestream_pick_ag() also returns 0, which leads
> to null pointer access in xfs_filestream_create_association().
> 
> At the end of xfs_filestream_pick_ag, we need to add a sanity check for pag,
> if we fail to grab any AG, we should return to -ENOSPC instead of 0.
> 
> Reported-and-tested-by: syzbot+4125a3c514e3436a02e6@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4125a3c514e3436a02e6
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>  fs/xfs/xfs_filestream.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/fs/xfs/xfs_filestream.c b/fs/xfs/xfs_filestream.c
> index e3aaa0555597..dd8f193a3957 100644
> --- a/fs/xfs/xfs_filestream.c
> +++ b/fs/xfs/xfs_filestream.c
> @@ -165,6 +165,10 @@ xfs_filestream_pick_ag(
>  
>  	trace_xfs_filestream_pick(pag, pino, free);
>  	args->pag = pag;
> +
> +	if (!args->pag)
> +		return -ENOSPC;
> +

If we get here with pag == NULL, then something else has gone
wrong before we got here.

i.e. there's an if (!pag) {} check directly above this, and it can
only fall through to this code if pag != NULL. Hence if pag is NULL
at this point, we should have already hit a null pointer deref
before we got to this point...

So, where's the null pag coming from?

-Dave.
-- 
Dave Chinner
david@...morbit.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ