Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp4320425rwr; Mon, 8 May 2023 06:14:29 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ73jjLJPS1axs+amhnZzfH0mKoxugUomnHsHYJ2FKo549+dTaHUqo4sNGbqOESJwDdmnHeo X-Received: by 2002:a05:6a21:329f:b0:100:24d7:545a with SMTP id yt31-20020a056a21329f00b0010024d7545amr5227707pzb.4.1683551668912; Mon, 08 May 2023 06:14:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683551668; cv=none; d=google.com; s=arc-20160816; b=lmJudQXHP7XtWxy7t5gTj2jjIRgpOBzu0fZV7wlp+pd6Yz/IJuSpvNWCgrAbI5mHjU a2+ZTYp6nRiruRIT8LlcmU9M2NIY/xCpj2/p1C6zbaliSP5k+A6LNIF7Q55SStRXzmnf S4JA66oecVkl0ouHNmjpCZWBdRWH/UrulLsiA+UqD5QjR974p7e/UgazvVQy1taZg5lS z/56AVWeIIPNY4IYOPVOZte8OU/14h2LElEoZk0gWaFg0bnqW+GTRqCmQoPOLnFZC11l EF/MjLQ/waT2csuJLCvIlkxgaFEtHbo6Vko3/PVavTiTdniUG6P/VO5zpMGyp5OuZiFb hDfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-signature; bh=HHZWgsJXNB3VUOHK0ASN7bDv1iCE+fapn/CG3Czr8FY=; b=ee3xRcSsjeTpMoFAFT+Xsn+RCVTLfV+fKEt9m+lL4pRa98zZI5LlBvPZGTM8+dytma aq9P55J6OjXnCkzJOxtH1LEarhUJkGYaQTeHZxVhb1PBVhm9oDcZ4NYxzIM7XfUhXDJX TN2qQD3T5/tKurfpWbZPkS3iM5gSd1a/FmsQ0YSJZJeQ8HtOFQ39bjCWQTQx/MkW9P4L IFne6tPDOs0B17/LfsGKEVMBkf/0TWrfDVjwi2wnR7Mqs07U3NIc+SkV34/45mc/fdws GNAWUA1zX2tpHP8xC/NHYIZlAy6RZweNs9kFf9VTAEmXW3VLCqfJkP2m7vw6crQKe5RI rcWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=Ln8Lw87W; dkim=pass header.i=@paragon-software.com header.s=mail header.b=XxG3I3Tm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h132-20020a636c8a000000b004fb33a76e2csi8067409pgc.834.2023.05.08.06.14.15; Mon, 08 May 2023 06:14:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paragon-software.com header.s=mail header.b=Ln8Lw87W; dkim=pass header.i=@paragon-software.com header.s=mail header.b=XxG3I3Tm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=paragon-software.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233645AbjEHM5i (ORCPT + 99 others); Mon, 8 May 2023 08:57:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233165AbjEHM5g (ORCPT ); Mon, 8 May 2023 08:57:36 -0400 Received: from relayaws-01.paragon-software.com (relayaws-01.paragon-software.com [35.157.23.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BFB6335577 for ; Mon, 8 May 2023 05:57:35 -0700 (PDT) Received: from relayfre-01.paragon-software.com (unknown [172.30.72.12]) by relayaws-01.paragon-software.com (Postfix) with ESMTPS id 3628421BF; Mon, 8 May 2023 12:52:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1683550367; bh=HHZWgsJXNB3VUOHK0ASN7bDv1iCE+fapn/CG3Czr8FY=; h=Date:Subject:To:CC:References:From:In-Reply-To; b=Ln8Lw87Wu+H25bPgi6/TAjlCnEvEUBwtojZya3bMwCKeWy5lWTOzBd5CfgTcR3HuF HiUYoeWReU01GycLoVDB+DTMlyC615fOSvFv7fc716FihfJkDIvm588j6ui4ZsO4y8 0KzDnh2cASqF3u/U4Q9vpQ2tPbjdWpVV9utpqagA= Received: from dlg2.mail.paragon-software.com (vdlg-exch-02.paragon-software.com [172.30.1.105]) by relayfre-01.paragon-software.com (Postfix) with ESMTPS id DB03E2D0; Mon, 8 May 2023 12:57:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragon-software.com; s=mail; t=1683550653; bh=HHZWgsJXNB3VUOHK0ASN7bDv1iCE+fapn/CG3Czr8FY=; h=Date:Subject:To:CC:References:From:In-Reply-To; b=XxG3I3Tmhd+iDwWbqhLDhg1YOB+p8qrMDH2YKWi06NfdOTiuwIXwwgmuDwqvL/Tx+ BUlL4iiDQWAAfXXIPgKAJyU+Fib6OBeX3qWAfwty5Q5AzX8u+1Pj1f9eg8y0IJJ3li ghQZAwcsbU/H2ogDqScEAeXIWVRZfcEanmIF80KE= Received: from [192.168.211.146] (192.168.211.146) by vdlg-exch-02.paragon-software.com (172.30.1.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Mon, 8 May 2023 15:57:33 +0300 Message-ID: <16b5bd2f-8098-0447-d3c9-0e764cf78d01@paragon-software.com> Date: Mon, 8 May 2023 16:57:32 +0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Subject: Re: [PATCH] fs: ntfs3: Fix possible null-pointer dereferences in mi_read() Content-Language: en-US To: Jia-Ju Bai CC: , References: <20230321132211.3103922-1-baijiaju@buaa.edu.cn> From: Konstantin Komarov In-Reply-To: <20230321132211.3103922-1-baijiaju@buaa.edu.cn> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [192.168.211.146] X-ClientProxiedBy: vobn-exch-01.paragon-software.com (172.30.72.13) To vdlg-exch-02.paragon-software.com (172.30.1.105) X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21.03.2023 17:22, Jia-Ju Bai wrote: > In a previous commit 2681631c2973 ("fs/ntfs3: Add null pointer check to > attr_load_runs_vcn"), ni can be NULL in attr_load_runs_vcn(), and thus it > should be checked before being used. > > However, in the call stack of this commit, mft_ni in mi_read() is > aliased with ni in attr_load_runs_vcn(), and it is also used in > mi_read() at two places: > > mi_read() > rw_lock = &mft_ni->file.run_lock -> No check > attr_load_runs_vcn(mft_ni, ...) > ni (namely mft_ni) is checked in the previous commit > attr_load_runs_vcn(..., &mft_ni->file.run) -> No check > > Thus, to avoid possible null-pointer dereferences, the related checks > should be added. > > These bugs are reported by a static analysis tool implemented by myself, > and they are found by extending a known bug fixed in the previous commit. > Thus, they could be theoretical bugs. > > Signed-off-by: Jia-Ju Bai > --- > fs/ntfs3/record.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c > index defce6a5c8e1..dfa1fed9c0d9 100644 > --- a/fs/ntfs3/record.c > +++ b/fs/ntfs3/record.c > @@ -124,7 +124,7 @@ int mi_read(struct mft_inode *mi, bool is_mft) > struct rw_semaphore *rw_lock = NULL; > > if (is_mounted(sbi)) { > - if (!is_mft) { > + if (!is_mft && mft_ni) { > rw_lock = &mft_ni->file.run_lock; > down_read(rw_lock); > } > @@ -148,7 +148,7 @@ int mi_read(struct mft_inode *mi, bool is_mft) > ni_lock(mft_ni); > down_write(rw_lock); > } > - err = attr_load_runs_vcn(mft_ni, ATTR_DATA, NULL, 0, &mft_ni->file.run, > + err = attr_load_runs_vcn(mft_ni, ATTR_DATA, NULL, 0, run, > vbo >> sbi->cluster_bits); > if (rw_lock) { > up_write(rw_lock); Thanks, your patch has been applied.