diff options
author | Jia-Ju Bai <baijiaju1990@gmail.com> | 2019-07-24 04:22:42 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-07-25 15:32:51 +0200 |
commit | bbe70e4e421116db0af3acf84cbce3c3f6cac53e (patch) | |
tree | 189d5d1d40f6f7584304ca23f3f047fbb233e1a0 /fs/kernfs | |
parent | kernfs: fix potential null pointer dereference (diff) | |
download | linux-bbe70e4e421116db0af3acf84cbce3c3f6cac53e.tar.xz linux-bbe70e4e421116db0af3acf84cbce3c3f6cac53e.zip |
fs: kernfs: Fix possible null-pointer dereferences in kernfs_path_from_node_locked()
In kernfs_path_from_node_locked(), there is an if statement on line 147
to check whether buf is NULL:
if (buf)
When buf is NULL, it is used on line 151:
len += strlcpy(buf + len, parent_str, ...)
and line 158:
len += strlcpy(buf + len, "/", ...)
and line 160:
len += strlcpy(buf + len, kn->name, ...)
Thus, possible null-pointer dereferences may occur.
To fix these possible bugs, buf is checked before being used.
If it is NULL, -EINVAL is returned.
These bugs are found by a static analysis tool STCheck written by us.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Link: https://lore.kernel.org/r/20190724022242.27505-1-baijiaju1990@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/kernfs')
-rw-r--r-- | fs/kernfs/dir.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index ddf537923a0a..6ebae6bbe6a5 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -137,6 +137,9 @@ static int kernfs_path_from_node_locked(struct kernfs_node *kn_to, if (kn_from == kn_to) return strlcpy(buf, "/", buflen); + if (!buf) + return -EINVAL; + common = kernfs_common_ancestor(kn_from, kn_to); if (WARN_ON(!common)) return -EINVAL; @@ -144,8 +147,7 @@ static int kernfs_path_from_node_locked(struct kernfs_node *kn_to, depth_to = kernfs_depth(common, kn_to); depth_from = kernfs_depth(common, kn_from); - if (buf) - buf[0] = '\0'; + buf[0] = '\0'; for (i = 0; i < depth_from; i++) len += strlcpy(buf + len, parent_str, |