Re: [PATCH] autofs: fix null deref in autofs_fill_super
From: Ian Kent
Date: Mon Nov 13 2023 - 23:25:51 EST
On Tue, 2023-11-14 at 11:52 +0800, Edward Adam Davis wrote:
> [Syz logs]
> KASAN: null-ptr-deref in range [0x0000000000000000-
> 0x0000000000000007]
> CPU: 0 PID: 5098 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-
> 15601-g4bbdb725a36b #0
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 10/09/2023
> RIP: 0010:autofs_fill_super+0x47d/0xb50 fs/autofs/inode.c:334
>
> [pid 5095] mount(NULL, "./file1", "autofs", 0,
> "fd=0x0000000000000000") = -1 ENOMEM (Cannot allocate memory)
>
> [Analysis]
> autofs_get_inode() will return null, when memory cannot be allocated.
>
> [Fix]
> Confirm that root_inde is not null before using it.
>
> Reported-and-tested-by:
> syzbot+662f87a8ef490f45fa64@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> fs/autofs/inode.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> index a5083d447a62..f2e89a444edf 100644
> --- a/fs/autofs/inode.c
> +++ b/fs/autofs/inode.c
> @@ -331,6 +331,9 @@ static int autofs_fill_super(struct super_block
> *s, struct fs_context *fc)
> goto fail;
>
> root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> + if (!root_inode)
> + goto fail;
Yes, I think this is the only thing it could be.
There's one small problem though, it leaks the dentry info. ino,
allocated just above. I think this should goto label fail_ino instead.
Note that once the root dentry is allocated then the ino struct will
be freed when the dentry is freed so ino doesn't need to be freed.
Ian