Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11982043ybi; Fri, 26 Jul 2019 02:51:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqzRmi2szYQH0vxHDd+slh1kHZEDKM7CRxQHxWljwHDckCTdf3HBughQlcT3zLO7UJWRVgih X-Received: by 2002:a17:902:28c9:: with SMTP id f67mr56388148plb.19.1564134687771; Fri, 26 Jul 2019 02:51:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564134687; cv=none; d=google.com; s=arc-20160816; b=e944qx3OJlrA2Q8dgVyJ+qBjNZxIV0MU4PraZgJzlEWmAk5hdE6WOF+7b5E5+xznAE X6KR4N3dJkQpFOZllNdA4XK1xuJM2dBq5tUBZ4quOjPBf9hPoT8DCPWVMrcr8/sud27w IIq3G0z7TAE/6g9FzqBOT/0Qfim5N/4dW1hp3p7vpdcRyvAg2V7iyE6LYtkY4OTV58jM 8Hu47Trq/xPVxWIdA7Ws2GDDJ3+d8P7HpnudbfTDPphYmzrEgSOqvBGB92bY8cWw9g/h /8ktjYd5fXrJQvDOiJfIpmOeF/+lX+XaksDyj8LFfdaRHB4Cq7B+gd2afjyoFgibc/n7 IBxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=xIePdwlRsoSX5vOkckcAtTCmUBJ6y/4+xukjXHlBQs4=; b=N2WJB8iHfVAhsC1Hxdigx7Zegub4J5CFC//4j7x4GaoBT0fWO7xxqrP1PbZM0NpLQD jbkvpzsd1k7EdyGtIk290Ld4zvatk50n7+fCmyYpOW0rFe8ejr7cyCTQr4XxC5iBd8mR aeuQ4nEgBiabpyZs9w0xYFkOJQjTZfmSCyvNh6yYoD4DWs1Pz88zXzjXBIvcG1t++Jye b8SpZwY6shdXmbfP0QJGDcpWBqQpdaZtrpSVX6l6BKL9KuGt8UIVHv5N4hmVWYbayNBK fvQ2ZBqPljAjTbv0wp7TfHIYhL7TBYDIKiBlHH8DSTL7KM0ZvOPDH03oqtv40PdT2z5G zE8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KB1LOAuR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gn3si17033196plb.321.2019.07.26.02.51.12; Fri, 26 Jul 2019 02:51:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KB1LOAuR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726469AbfGZJuI (ORCPT + 99 others); Fri, 26 Jul 2019 05:50:08 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:36022 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725842AbfGZJuH (ORCPT ); Fri, 26 Jul 2019 05:50:07 -0400 Received: by mail-pl1-f194.google.com with SMTP id k8so24581608plt.3 for ; Fri, 26 Jul 2019 02:50:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=xIePdwlRsoSX5vOkckcAtTCmUBJ6y/4+xukjXHlBQs4=; b=KB1LOAuRl/m6/i7YzeiMqt2KribRmUYSZvq4z5XDwQ7lH9jwuCcJlNRrLStpKa5VIM FAZAdARlAytJAMcdtoogYC09Ajch5UFuZebGO/gZ+yzS5KqMGUy868mMhSgbmFKBxT8s DexT+CPvj7b160oYO7d4K6Ca2LosuLLZy7D7nag4K0H5WfV2o0oLRjRDAujL0QodqfW6 je4QtObdbs7WUPNNWIa9iZyUVrBXjbezsN7G4xip4+9c9wlv1eCiONyooexivrEvby32 2nn8tfBeA3lDbIwPNw3eRU74zVMztjVJyFcGz5Ly9XXTOylPVrA+L9NkEyM8zx8B+QuB rAlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=xIePdwlRsoSX5vOkckcAtTCmUBJ6y/4+xukjXHlBQs4=; b=PIcydFjZDbLumStA7AA6Iw2PGx2RE/WEI+XpggRL/6D5io7sfzGwOL72Sfm/kPskvz wpoBlnzce95Ku5haJehtgMS/so7G92Q75Hht1gpsNu/up+Yxm/nwVDpL3mpO7gM30U2q iPjFOufxBoE3+Pc7mb42DOToHaZQtYMiZMpEyVYsFgHcfeUfyzAkCU5EPlIqES6oBMP+ EH7bp2+mcFp3OVb29j9CNekAD6RQivmgQPatE2heKWjTYCf9H1hf/NtiFbr88hhayZE5 UQvLP9NJ1vnJ9D6ag7NgochtX7kyzMK0yLrm0uoP6PEjZvgnZPb1mgUEfCf3ynTUxY12 AH0A== X-Gm-Message-State: APjAAAWswQXetQkfHi4NOKl4nHHIlpi5k6mjGIT4OaxblMxn6mdlInX0 OBpkXuZx8SZZdhOCDw5/pqfcS6eBJDY= X-Received: by 2002:a17:902:23:: with SMTP id 32mr8598049pla.34.1564134606688; Fri, 26 Jul 2019 02:50:06 -0700 (PDT) Received: from ?IPv6:2402:f000:4:72:808::177e? ([2402:f000:4:72:808::177e]) by smtp.gmail.com with ESMTPSA id s67sm53345975pjb.8.2019.07.26.02.50.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2019 02:50:06 -0700 (PDT) Subject: Re: [PATCH 1/3] fs: ocfs2: Fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() To: Joseph Qi , mark@fasheh.com, jlbec@evilplan.org Cc: ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org References: <20190726033655.32253-1-baijiaju1990@gmail.com> From: Jia-Ju Bai Message-ID: <620ac436-ffbc-8429-b952-278cd2a8aaba@gmail.com> Date: Fri, 26 Jul 2019 17:50:06 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/7/26 17:37, Joseph Qi wrote: > > On 19/7/26 11:36, Jia-Ju Bai wrote: >> In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to >> check whether loc->xl_entry is NULL: >> if (loc->xl_entry) >> >> When loc->xl_entry is NULL, it is used on line 2158: >> ocfs2_xa_add_entry(loc, name_hash); >> loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash); >> loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size); >> and line 2164: >> ocfs2_xa_add_namevalue(loc, xi); >> loc->xl_entry->xe_value_size = cpu_to_le64(xi->xi_value_len); >> loc->xl_entry->xe_name_len = xi->xi_name_len; >> >> Thus, possible null-pointer dereferences may occur. >> >> To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry() >> abnormally returns with -EINVAL. >> >> These bugs are found by a static analysis tool STCheck written by us. >> >> Signed-off-by: Jia-Ju Bai >> --- >> fs/ocfs2/xattr.c | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c >> index 385f3aaa2448..f690502daf3c 100644 >> --- a/fs/ocfs2/xattr.c >> +++ b/fs/ocfs2/xattr.c >> @@ -2154,8 +2154,10 @@ static int ocfs2_xa_prepare_entry(struct ocfs2_xa_loc *loc, >> } >> } >> ocfs2_xa_wipe_namevalue(loc); >> - } else >> - ocfs2_xa_add_entry(loc, name_hash); >> + } else { >> + rc = -EINVAL; >> + goto out; >> + } > Since entry not found, so there is nothing to do in > ocfs2_xa_prepare_entry(). We may change it like: > > if (!loc->xl_entry) { > rc = -EINVAL; > goto out; > } > > if (ocfs2_xa_can_reuse_entry(loc, xi)) { > ...... > } > ..... > Okay, I will send a v2 patch. Best wishes, Jia-Ju Bai