Bug 213083 - udf: Possible patch for NULL pointer dereference in udf_symlink function
Summary: udf: Possible patch for NULL pointer dereference in udf_symlink function
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: UDF (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Jan Kara
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-15 14:03 UTC by koredump
Modified: 2021-05-20 12:25 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.x
Tree: Mainline
Regression: No


Attachments
Proposed patch to fix NULL pointer dereference in udf_symlink function (1.19 KB, patch)
2021-05-18 10:37 UTC, koredump
Details | Diff

Description koredump 2021-05-15 14:03:19 UTC
In "fs/udf/namei.c" there is a possible NULL pointer dereference bug in udf_symlink:882 function.

This is the relevant piece of code:
> 936         epos.bh = udf_tgetblk(sb, block);
> 937         lock_buffer(epos.bh);
> 938         memset(epos.bh->b_data, 0x00, bsize);
> 939         set_buffer_uptodate(epos.bh);
> 940         unlock_buffer(epos.bh);

At line 936 epos.bh is assigned with the value returned by udf_tgetblk. Then, epos.bh is used without any check, however it could be NULL.
The function udf_tgetblk is defined in udf/misc.c and returns the value of sb_getblk function without any check.
> 31 struct buffer_head *udf_tgetblk(struct super_block *sb, udf_pblk_t block)
> 32 {
> 33     if (UDF_QUERY_FLAG(sb, UDF_FLAG_VARCONV))
> 34         return sb_getblk(sb, udf_fixed_to_variable(block));
> 35     else
> 36         return sb_getblk(sb, block);
> 37 }

Considering the older patches related to sb_getblk, a possible fix is the following:
> 936         epos.bh = udf_tgetblk(sb, block);
> +++         if (unlikely(!epos.bh)) {
> +++             err = -ENOMEM;
> +++             goto out_no_entry;
> +++         }
> 937         lock_buffer(epos.bh);
> 938         memset(epos.bh->b_data, 0x00, bsize);
> 939         set_buffer_uptodate(epos.bh);
> 940         unlock_buffer(epos.bh);
Comment 1 Jan Kara 2021-05-17 11:27:02 UTC
Thanks for report. You are correct. Will you send a proper fix for this (with a changelog, signed-off-by, etc.)?
Comment 2 koredump 2021-05-18 07:17:00 UTC
Yes, however give me few days to understand how this process works, this is my first patch to the kernel. I will let you know soon.
Comment 3 Jan Kara 2021-05-18 08:50:41 UTC
Sure, if you have any questions, feel free to email me :).
Comment 4 Jan Kara 2021-05-18 08:53:08 UTC
Not sure if you've already found it but a (somewhat long) description of the process is here: https://www.kernel.org/doc/html/v5.12/process/submitting-patches.html
Comment 5 koredump 2021-05-18 10:37:32 UTC
Created attachment 296829 [details]
Proposed patch to fix NULL pointer dereference in udf_symlink function
Comment 6 Jan Kara 2021-05-20 10:15:44 UTC
Thanks! I've added the patch to my tree.
Comment 7 koredump 2021-05-20 12:25:33 UTC
Thank you for your responsiveness and support :)

Note You need to log in before you can comment on or make changes to this bug.