Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2319806pxb; Mon, 20 Sep 2021 18:43:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy71TKql4Ir/Z9Exaxfar5tGV0Yc+BdPhuFjh+ocRnSjK7TFmlvcdK/iOD+7Cf3vxkn7cx0 X-Received: by 2002:a17:906:af91:: with SMTP id mj17mr9576756ejb.266.1632188593349; Mon, 20 Sep 2021 18:43:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632188593; cv=none; d=google.com; s=arc-20160816; b=PjTJ6QUvT7qOWZuH1HUSZLZaRr+8NjScsFa6+248Lqfuz7Yo718NVI3Rvq+bJnrOiG rV0w4A5oanLoStkTbTlkcxEPru0tE6I4h2iG5s4DQtP9w+POmvhrJXpwlwIAhLtsycBP RorMSJ7UlI/WAfl+oxBcMXoPGB8saB4IuF9eKXUd41thKemnkxgor2ErKMWqUoAmgwhb ZnJw8X1UTPclxSi2vN3+YV/j6Tucb/hAwznOxCybkfb25mnBf/lL9ojihVzrBxRO0WiA W5jDFdmBMg6wspI2EMr/xV57MqUoAK+QUv0CeoiXHp345adAL1JXuuJy4xGPGuR+0dBQ 0uIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=szKeeiVCMZ74n2vEWD+EmD8jWeAd00OdqZyDMnaHaxA=; b=V15Hc5uGfPFjT6b75FQi+ExPgwPMsJcwot8ru6CA5so3DcVMCl60PCTlzZSekxfz21 qOWlPCs/Sd6DW1A6mXHXJKvX1j8CnO91umac3BxcYHS2ZEd/PH3vcjP7myNGzBm4Sasv 0n2pEvuRm5To3fry/fskxZyikYUi2KmqYhjbw2FCws6J/WNmTxvREtq7Mbg0XQeIFZ3i cdbAg8vjBrt2MUcF6b92kSmhvJ89wIKMbNDvvtdP8Kb1JLII0WKGN1J3ltqCViO8yIO5 y8xERpLAk7Cfyodu+sC5OlU/9007S0qugkmRGtp6xO8Opjd+8QJTymummHmjYdRXv+e1 wLzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Q0MmnwdK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a72si13040345edf.532.2021.09.20.18.42.48; Mon, 20 Sep 2021 18:43:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Q0MmnwdK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232076AbhITQy4 (ORCPT + 99 others); Mon, 20 Sep 2021 12:54:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:37492 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243148AbhITQuv (ORCPT ); Mon, 20 Sep 2021 12:50:51 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8314261242; Mon, 20 Sep 2021 16:49:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632156561; bh=JpbPBK8nIVHG+mB7ddxJFkNNZQ60kds76dQsgpu/pWg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q0MmnwdK3b+2Kp+Dzvxh/8ise8vnbmtLRVem2O4RBeC/K4hWTE+2QPnJAIi1UFJru yPMDQ4ZQUrlnjRRf3ESgSJBSXItneFWsd/xbriXaiYLPW+c8/Yjzj3oItDbDbGUyvV u+F9x4CooeuykDY75sOnk6fyBIuHUmJrzfl1kcIc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Abaci , Michael Wang , "David S. Miller" , Sasha Levin Subject: [PATCH 4.4 115/133] net: fix NULL pointer reference in cipso_v4_doi_free Date: Mon, 20 Sep 2021 18:43:13 +0200 Message-Id: <20210920163916.385591507@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163912.603434365@linuxfoundation.org> References: <20210920163912.603434365@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: 王贇 [ Upstream commit 733c99ee8be9a1410287cdbb943887365e83b2d6 ] In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc failed, we sometime observe panic: BUG: kernel NULL pointer dereference, address: ... RIP: 0010:cipso_v4_doi_free+0x3a/0x80 ... Call Trace: netlbl_cipsov4_add_std+0xf4/0x8c0 netlbl_cipsov4_add+0x13f/0x1b0 genl_family_rcv_msg_doit.isra.15+0x132/0x170 genl_rcv_msg+0x125/0x240 This is because in cipso_v4_doi_free() there is no check on 'doi_def->map.std' when 'doi_def->type' equal 1, which is possibe, since netlbl_cipsov4_add_std() haven't initialize it before alloc 'doi_def->map.std'. This patch just add the check to prevent panic happen for similar cases. Reported-by: Abaci Signed-off-by: Michael Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netlabel/netlabel_cipso_v4.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index d31cd4d509ca..422fac2a4a3c 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c @@ -163,8 +163,8 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, return -ENOMEM; doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL); if (doi_def->map.std == NULL) { - ret_val = -ENOMEM; - goto add_std_failure; + kfree(doi_def); + return -ENOMEM; } doi_def->type = CIPSO_V4_MAP_TRANS; -- 2.30.2