| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJfpegvKvHwU69F0wazk_TyrKPCcrcVU+Z+5=UNpg29CJGH84w@mail.gmail.com> Date: Tue, 29 Apr 2025 14:01:43 +0200 From: Miklos Szeredi <miklos@...redi.hu> To: Wang Zhaolong <wangzhaolong1@...wei.com> Cc: amir73il@...il.com, linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org, yi.zhang@...wei.com, yangerkun@...wei.com Subject: Re: [PATCH] overlayfs: fix potential NULL pointer dereferences in file handle code On Tue, 29 Apr 2025 at 02:13, Wang Zhaolong <wangzhaolong1@...wei.com> wrote: > > Several locations in overlayfs file handle code fail to check if a file > handle pointer is NULL before accessing its members. A NULL file handle > can occur when the lower filesystem doesn't support export operations, > as seen in ovl_get_origin_fh() which explicitly returns NULL in this case. Have you tried to trigger these conditions? If you find a bug by code inspection, try to recreate it, by that you can also verify that the patch works. If you cannot reproduce it, at least prove that triggering the bug is possible. Without a proof the patch may turn out to do nothing at best and introduce new bugs at worst. > > The following locations are vulnerable to NULL pointer dereference: > > 1. ovl_set_origin_fh() accesses fh->buf without checking if fh is NULL Hint: fh->buf is equivalent to &fh->buf in this case, the latter obviously not being a dereference. > 2. ovl_verify_fh() uses fh->fb members without NULL check > 3. ovl_get_index_name_fh() accesses fh->fb.len without NULL check These are called in the "index=on" case, which verifies at mount time that all layers support file handles. Thanks, Miklos
Powered by blists - more mailing lists