lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <29D47981-00B6-43DF-A5A0-917D4AF87BE7@oracle.com>
Date:   Fri, 23 Apr 2021 14:47:35 +0000
From:   Chuck Lever III <chuck.lever@...cle.com>
To:     wangyunjian <wangyunjian@...wei.com>
CC:     Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Linux-Net <netdev@...r.kernel.org>,
        Bruce Fields <bfields@...ldses.org>,
        "dingxiaoxiong@...wei.com" <dingxiaoxiong@...wei.com>,
        Linux NFS Mailing List <linux-nfs@...r.kernel.org>
Subject: Re: [PATCH net] SUNRPC: Fix null pointer dereference in
 svc_rqst_free()

[ adding Cc: linux-nfs@...r.kernel.org ]

> On Apr 23, 2021, at 5:42 AM, wangyunjian <wangyunjian@...wei.com> wrote:
> 
> From: Yunjian Wang <wangyunjian@...wei.com>
> 
> When alloc_pages_node() returns null in svc_rqst_alloc(), the
> null rq_scratch_page pointer will be dereferenced when calling
> put_page() in svc_rqst_free(). Fix it by adding a null check.
> 
> Addresses-Coverity: ("Dereference after null check")
> Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")
> Signed-off-by: Yunjian Wang <wangyunjian@...wei.com>

Thanks for the fix. I've pushed it to the for-next branch at

git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git


> ---
> net/sunrpc/svc.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
> index d76dc9d95d16..0de918cb3d90 100644
> --- a/net/sunrpc/svc.c
> +++ b/net/sunrpc/svc.c
> @@ -846,7 +846,8 @@ void
> svc_rqst_free(struct svc_rqst *rqstp)
> {
> 	svc_release_buffer(rqstp);
> -	put_page(rqstp->rq_scratch_page);
> +	if (rqstp->rq_scratch_page)
> +		put_page(rqstp->rq_scratch_page);
> 	kfree(rqstp->rq_resp);
> 	kfree(rqstp->rq_argp);
> 	kfree(rqstp->rq_auth_data);
> -- 
> 2.23.0
> 

--
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ