Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp667981imm; Fri, 27 Jul 2018 04:07:23 -0700 (PDT) X-Google-Smtp-Source: AAOMgpea+FYjTn/Otorb05iwps2Q0kvNghPzpzU3QdjqhbKpoeqh55y5LT8AoWhCnuaE7e96fgOe X-Received: by 2002:a17:902:9893:: with SMTP id s19-v6mr5607885plp.130.1532689643548; Fri, 27 Jul 2018 04:07:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532689643; cv=none; d=google.com; s=arc-20160816; b=SLv/v3nzpj0pJbhAJI3S+Ikl+jXFpP3bInYcW8GHckVAQZntO6wiL/Q7hf9ak+Hms+ 59filTsNUdDH1DlBupMEsua6rzlP80Ua/bP2rCspzbbFZyfd7K/g8qHq2t5ogtk5y34r pDqaClviIjzQdc4rasN+MkPoCjYqcqRIZpE7ijf/EgmbNYwNgOp33rOT+ytWPeCF5xfB RSC0Zpo0IwntoJ1IdvKT0954i01CqfSV4VsOa3XzicM1rechxtfXA1x4i9XkNKk7OnGa UbwEu4T8fFiBjZr1AGhGLPCttg0wPwyhmQ7rsFdRxsuH0e6sAO67yXqNXTJfCboFvw8P cG7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=2eCDJqCQOR5gJhwrnKSgSE2xyMt1RtU4mVw1jc49DtY=; b=qQLVdqww/fZYoXx4R/dyFPDrTGj62b8HPKpvPgJ2KGLIuY2ODxRi5B0FDBUTqIyzn6 xkXWeRZ44c54CmyPF5hHMQEUa8bH7NEx0DpEHi7kYHLxJ/C5boou2RndUmAhSchHNWg5 JaJrYLc3h6mi0JoBaQBGqesqUB/kRbF2k0zphWWjw4XQHHAMSZOTHw3aN4ZmCSr50V83 z13BFEFU0bdU8qO16rxRc1rRGqqAf97rHGsmf+YXETUxMeOpSfas7Mco81wXS4Anccru eFf2aUiE/fYjSIxoVRgI+08LSJ1ZZPDA8AO1N0KPQC44dW+dGGEF5yB/iqG8TSf7psA2 GUDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=De9+5RYF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g75-v6si4218082pfb.37.2018.07.27.04.07.09; Fri, 27 Jul 2018 04:07:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=De9+5RYF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732043AbeG0M1d (ORCPT + 99 others); Fri, 27 Jul 2018 08:27:33 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:44097 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730753AbeG0M1d (ORCPT ); Fri, 27 Jul 2018 08:27:33 -0400 Received: by mail-lj1-f195.google.com with SMTP id q127-v6so4082096ljq.11; Fri, 27 Jul 2018 04:06:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=2eCDJqCQOR5gJhwrnKSgSE2xyMt1RtU4mVw1jc49DtY=; b=De9+5RYFkEKrgTdSJtIPY2K7AsY0faRjBt1jyqFm6s8g1YM4QQUEqJ2kURuCIhopoj bE7t7ndxcXjsvrwG0myxXF7rzcXkdZNDvlaE4mhe6GQIXZUUGyC2Y8C4msmsluRuS4Jx LteQaVxzGJOd7CihD9NOlov7d1OzOKLkoa6CqQ5spAY7hygsrXZFEjkoXtI/HZFPyghe yq+Tcp5zu2fhbHC8AN5bPa6MsZtc1bDYdByLADdMlwugPizh3qWEF0jqtW2HDhpooxYg K3YzXikjUuZKsk4tNI684Szgn0XWA3ENwl0+1cwpCEAJCPxwYDPhZM4wl46RpnssSXGF 5Wyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=2eCDJqCQOR5gJhwrnKSgSE2xyMt1RtU4mVw1jc49DtY=; b=b8+MRintATTUFqy3MH61tiMpxyvtcnixtA5KIBl8PLB5MY8rqjA06wDO1Uh6E0eYD+ vlkrBg41crtkNFRuPs2TlqgJq64Co6b0y+qu/nrhM+xxSXPXGK/PQP4JTMjFRig5pHt5 CoMWtf2dIp/YiiFCiVkoVjf000woOjXgdrHh4lre4ND+CV/QeyrdZc7pU/hht5lgwAuz dOd4YhBEEvrL9pJ39ecw2hNTplTjoUQMF/TSAE4ZMrSUhqyXI8DrU71/2ZJvkziirkzr ZAAeECwOkZf1TYayXGUq4klwiF5g7L9n20R3q4efqwspzaYe5EfjYDUsC0XTr7vtAdUv PHqw== X-Gm-Message-State: AOUpUlGoZeBTHHcfrAkvgBrMKijLIJsW3ZPPugF2badmCW7SK7DGMRq1 M9GNhhqi0t1if6iQ07oVxIU= X-Received: by 2002:a2e:1517:: with SMTP id s23-v6mr4813145ljd.73.1532689566182; Fri, 27 Jul 2018 04:06:06 -0700 (PDT) Received: from debian-tom.lan ([2001:2012:22e:1b00:f2e2:9015:9262:3fde]) by smtp.gmail.com with ESMTPSA id t66-v6sm616475lje.95.2018.07.27.04.06.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 04:06:05 -0700 (PDT) From: Tomas Bortoli To: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net Cc: asmadeus@codewreck.org, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Tomas Bortoli Subject: [PATCH] 9p: fix multiple NULL-pointer-dereferences Date: Fri, 27 Jul 2018 13:05:58 +0200 Message-Id: <20180727110558.5479-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Added checks to prevent GPFs from raising. Signed-off-by: Tomas Bortoli Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com --- net/9p/trans_fd.c | 5 ++++- net/9p/trans_rdma.c | 3 +++ net/9p/trans_virtio.c | 3 +++ net/9p/trans_xen.c | 3 +++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 964260265b13..e2ef3c782c53 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -945,7 +945,7 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args) if (err < 0) return err; - if (valid_ipaddr4(addr) < 0) + if (addr == NULL || valid_ipaddr4(addr) < 0) return -EINVAL; csocket = NULL; @@ -995,6 +995,9 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) csocket = NULL; + if (addr == NULL) + return -EINVAL; + if (strlen(addr) >= UNIX_PATH_MAX) { pr_err("%s (%d): address too long: %s\n", __func__, task_pid_nr(current), addr); diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c index 2649b2ebf961..2ab4574183c9 100644 --- a/net/9p/trans_rdma.c +++ b/net/9p/trans_rdma.c @@ -645,6 +645,9 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args) struct rdma_conn_param conn_param; struct ib_qp_init_attr qp_attr; + if (addr == NULL) + return -EINVAL; + /* Parse the transport specific mount options */ err = parse_opts(args, &opts); if (err < 0) diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 06dcd3cc6a29..8ca356eb66bb 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -654,6 +654,9 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args) int ret = -ENOENT; int found = 0; + if (devname == NULL) + return -EINVAL; + mutex_lock(&virtio_9p_lock); list_for_each_entry(chan, &virtio_chan_list, chan_list) { if (!strncmp(devname, chan->tag, chan->tag_len) && diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c index 2e2b8bca54f3..c2d54ac76bfd 100644 --- a/net/9p/trans_xen.c +++ b/net/9p/trans_xen.c @@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_client *client, const char *addr, char *args) { struct xen_9pfs_front_priv *priv; + if (addr == NULL) + return -EINVAL; + read_lock(&xen_9pfs_lock); list_for_each_entry(priv, &xen_9pfs_devs, list) { if (!strcmp(priv->tag, addr)) { -- 2.11.0