[PATCH] mm/pagemap: fix null ptr deref in do_pagemap_cmd

From: Edward Adam Davis
Date: Tue Mar 05 2024 - 06:38:29 EST

Next message: Jiangfeng Xiao: "Re: [PATCH] usercopy: delete __noreturn from usercopy_abort"
Previous message: Breno Leitao: "[PATCH net-next] net: macsec: Leverage core stats allocator"
In reply to: syzbot: "Re: [syzbot] [fs?] KASAN: null-ptr-deref Write in do_pagemap_cmd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When pagemap_open() runs in the kernel thread context, task->mm is NULL, it will
causes the pagemap file object's file->private_date to be NULL when the pagemap
file is opened, this will ultimately result in do_pagemap_cmd() referencing a
null pointer.

So, before PAGEMAP_SCAN ioctl() call do_pagemap_scan(), need check mm first.

Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
Reported-and-tested-by: syzbot+02e64be5307d72e9c309@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
fs/proc/task_mmu.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 3f78ebbb795f..ab28666956d0 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -2510,6 +2510,8 @@ static long do_pagemap_cmd(struct file *file, unsigned int cmd,

switch (cmd) {
case PAGEMAP_SCAN:
+ if (!mm)
+ return -EINVAL;
return do_pagemap_scan(mm, arg);

default:
--
2.43.0

Next message: Jiangfeng Xiao: "Re: [PATCH] usercopy: delete __noreturn from usercopy_abort"
Previous message: Breno Leitao: "[PATCH net-next] net: macsec: Leverage core stats allocator"
In reply to: syzbot: "Re: [syzbot] [fs?] KASAN: null-ptr-deref Write in do_pagemap_cmd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]