[V2] autofs: fix null ptr deref in autofs_fill_super

Message ID	tencent_A9BA25BB3A335C9EEB1B224B691B4B254708@qq.com (mailing list archive)
State	New, archived
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7FDBD2E1; Tue, 14 Nov 2023 05:49:05 +0000 (UTC) Message-ID: <tencent_A9BA25BB3A335C9EEB1B224B691B4B254708@qq.com> From: Edward Adam Davis <eadavis@qq.com> To: raven@themaw.net Cc: autofs@vger.kernel.org, eadavis@qq.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+662f87a8ef490f45fa64@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: [PATCH V2] autofs: fix null ptr deref in autofs_fill_super Date: Tue, 14 Nov 2023 13:48:59 +0800 In-Reply-To: <4fcf49456c32087f5306e84c4a8df5b2bd9f4146.camel@themaw.net> References: <4fcf49456c32087f5306e84c4a8df5b2bd9f4146.camel@themaw.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[V2] autofs: fix null ptr deref in autofs_fill_super \| expand [V2] autofs: fix null ptr deref in autofs_fill_super

Message ID

tencent_A9BA25BB3A335C9EEB1B224B691B4B254708@qq.com (mailing list archive)

State

New, archived

Headers

Message-ID: <tencent_A9BA25BB3A335C9EEB1B224B691B4B254708@qq.com>
From: Edward Adam Davis <eadavis@qq.com>
To: raven@themaw.net
Cc: autofs@vger.kernel.org,
	eadavis@qq.com,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	syzbot+662f87a8ef490f45fa64@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH V2] autofs: fix null ptr deref in autofs_fill_super
Date: Tue, 14 Nov 2023 13:48:59 +0800
In-Reply-To: <4fcf49456c32087f5306e84c4a8df5b2bd9f4146.camel@themaw.net>
References: <4fcf49456c32087f5306e84c4a8df5b2bd9f4146.camel@themaw.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[V2] autofs: fix null ptr deref in autofs_fill_super | expand

Commit Message

Edward Adam Davis Nov. 14, 2023, 5:48 a.m. UTC

[Syz logs]
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 5098 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-15601-g4bbdb725a36b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:autofs_fill_super+0x47d/0xb50 fs/autofs/inode.c:334

[pid  5095] mount(NULL, "./file1", "autofs", 0, "fd=0x0000000000000000") = -1 ENOMEM (Cannot allocate memory)

[Analysis]
autofs_get_inode() will return null, when memory cannot be allocated.

[Fix]
Confirm that root_inode is not null before using it.

Reported-and-tested-by: syzbot+662f87a8ef490f45fa64@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/autofs/inode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
index a5083d447a62..f2e89a444edf 100644
--- a/fs/autofs/inode.c
+++ b/fs/autofs/inode.c
@@ -331,6 +331,9 @@  static int autofs_fill_super(struct super_block *s, struct fs_context *fc)
 		goto fail;
 
 	root_inode = autofs_get_inode(s, S_IFDIR | 0755);
+	if (!root_inode)
+		goto fail_ino;
+
 	root_inode->i_uid = ctx->uid;
 	root_inode->i_gid = ctx->gid;

[V2] autofs: fix null ptr deref in autofs_fill_super

Commit Message

Patch