发件人: Dongyang Zhan <[email protected]>
Date: 2020年5月3日周日 下午1:45
Subject: Possible null pointer dereference caused by vmstat_start()
To: <[email protected]>
Cc: <[email protected]>
In Linux 4.10.17, vmstat_start() stores the results of v =
kmalloc(stat_items_size, GFP_KERNEL) in m->private = v before security
check. If m->private is accessed, it may cause null pointer
dereference.
Source code link:
https://elixir.bootlin.com/linux/v4.10.17/source/mm/vmstat.c#L1465
Source code;
v = kmalloc(stat_items_size, GFP_KERNEL);
m->private = v; //stores v before check;
if (!v)
return ERR_PTR(-ENOMEM);
Function rdtgroup_seqfile_show() in
arch/x86/kernel/cpu/intel_rdt_rdtgroup.c access this pointer without
check, which is a possible bug.
Link:
https://elixir.bootlin.com/linux/v4.10.17/source/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c#150
Source Code
static int rdtgroup_seqfile_show(struct seq_file *m, void *arg)
{
struct kernfs_open_file *of = m->private;
struct rftype *rft = of->kn->priv; // without check;
if (rft->seq_show)
return rft->seq_show(of, m, arg);
return 0;
}