There is no memory allocation failure check in uri_store().
That can lead to NULL pointer dereference.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
fs/exofs/sys.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/exofs/sys.c b/fs/exofs/sys.c
index 5a7b691..1b4f2f9 100644
--- a/fs/exofs/sys.c
+++ b/fs/exofs/sys.c
@@ -80,8 +80,13 @@ static ssize_t uri_show(struct exofs_dev *edp, char *buf)
static ssize_t uri_store(struct exofs_dev *edp, const char *buf, size_t len)
{
+ uint8_t *new_uri;
+
edp->urilen = strlen(buf) + 1;
- edp->uri = krealloc(edp->uri, edp->urilen, GFP_KERNEL);
+ new_uri = krealloc(edp->uri, edp->urilen, GFP_KERNEL);
+ if (new_uri == NULL)
+ return -ENOMEM;
+ edp->uri = new_uri;
strncpy(edp->uri, buf, edp->urilen);
return edp->urilen;
}
--
1.7.9.5
On 8/8/12 10:02 AM, Alexey Khoroshilov wrote:
> There is no memory allocation failure check in uri_store().
> That can lead to NULL pointer dereference.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
> ---
> fs/exofs/sys.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/exofs/sys.c b/fs/exofs/sys.c
> index 5a7b691..1b4f2f9 100644
> --- a/fs/exofs/sys.c
> +++ b/fs/exofs/sys.c
> @@ -80,8 +80,13 @@ static ssize_t uri_show(struct exofs_dev *edp, char *buf)
>
> static ssize_t uri_store(struct exofs_dev *edp, const char *buf, size_t len)
> {
> + uint8_t *new_uri;
> +
> edp->urilen = strlen(buf) + 1;
> - edp->uri = krealloc(edp->uri, edp->urilen, GFP_KERNEL);
> + new_uri = krealloc(edp->uri, edp->urilen, GFP_KERNEL);
> + if (new_uri == NULL)
> + return -ENOMEM;
> + edp->uri = new_uri;
> strncpy(edp->uri, buf, edp->urilen);
> return edp->urilen;
> }
Ack-by : Sachin Bhamare <[email protected]>
On 08/09/2012 09:54 PM, Sachin Bhamare wrote:
> On 8/8/12 10:02 AM, Alexey Khoroshilov wrote:
>> There is no memory allocation failure check in uri_store().
>> That can lead to NULL pointer dereference.
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Alexey Khoroshilov <[email protected]>
>> ---
>> fs/exofs/sys.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/exofs/sys.c b/fs/exofs/sys.c
>> index 5a7b691..1b4f2f9 100644
>> --- a/fs/exofs/sys.c
>> +++ b/fs/exofs/sys.c
>> @@ -80,8 +80,13 @@ static ssize_t uri_show(struct exofs_dev *edp, char *buf)
>>
>> static ssize_t uri_store(struct exofs_dev *edp, const char *buf, size_t len)
>> {
>> + uint8_t *new_uri;
>> +
>> edp->urilen = strlen(buf) + 1;
>> - edp->uri = krealloc(edp->uri, edp->urilen, GFP_KERNEL);
>> + new_uri = krealloc(edp->uri, edp->urilen, GFP_KERNEL);
>> + if (new_uri == NULL)
>> + return -ENOMEM;
>> + edp->uri = new_uri;
>> strncpy(edp->uri, buf, edp->urilen);
>> return edp->urilen;
>> }
> Ack-by : Sachin Bhamare <[email protected]>
Has been pushed to linux-next will be included in the next RCX
push to Linus.
Thanks
Boaz