[PATCH] bfs: Fix null pointer dereference in bfs_move_block

From: Yuran Pereira
Date: Sun Nov 26 2023 - 18:44:50 EST

Next message: Stephen Rothwell: "linux-next: build failure after merge of the drm-misc tree"
Previous message: kernel test robot: "Re: [PATCH 2/6] twl-core: add power off implementation for twl603x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Syzkaller reported a NULL pointer dereference in
bfs_move_block.

sb_getblk may return a NULL pointer, and if unchecked
this can lead to a NULL pointer dereference. This is
the case in bfs_move_block, where `new` is not checked
before being dereferenced in the memcpy call.

This patch adds a propper check to the return value of
sb_getblk, stored in `new` and ensures that any previously
allocated resource, is deallocated before returning with
an appropriate error code if the `new` pointer is NULL.

Closes: https://syzkaller.appspot.com/bug?extid=dc6ed11a88fb40d6e184
Signed-off-by: Yuran Pereira <yuran.pereira@xxxxxxxxxxx>
---
fs/bfs/file.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/fs/bfs/file.c b/fs/bfs/file.c
index adc2230079c6..8a97909b1484 100644
--- a/fs/bfs/file.c
+++ b/fs/bfs/file.c
@@ -38,7 +38,12 @@ static int bfs_move_block(unsigned long from, unsigned long to,
bh = sb_bread(sb, from);
if (!bh)
return -EIO;
+
new = sb_getblk(sb, to);
+ if (!new) {
+ bforget(bh);
+ return -ENOMEM;
+ }
memcpy(new->b_data, bh->b_data, bh->b_size);
mark_buffer_dirty(new);
bforget(bh);
--
2.25.1

Next message: Stephen Rothwell: "linux-next: build failure after merge of the drm-misc tree"
Previous message: kernel test robot: "Re: [PATCH 2/6] twl-core: add power off implementation for twl603x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]