| Message ID | 20241216042752.257090-2-leocstone@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | mm: huge_memory: Handle strsep not finding delimiter | expand |
On Sun, 15 Dec 2024 20:27:51 -0800 Leo Stone <leocstone@gmail.com> wrote: > split_huge_pages_write does not handle the case where strsep finds no > delimiter in the given string and sets the input buffer to NULL, > which allows this reproducer to trigger a protection fault. > > ... > > --- a/mm/huge_memory.c > +++ b/mm/huge_memory.c > @@ -4168,7 +4168,7 @@ static ssize_t split_huge_pages_write(struct file *file, const char __user *buf, > size_t input_len = strlen(input_buf); > > tok = strsep(&buf, ","); > - if (tok) { > + if (tok && buf) { > strscpy(file_path, tok); > } else { > ret = -EINVAL; lgtm, thanks. The duplicated `buf' made review of this unnecessarily annoying, so... From: Andrew Morton <akpm@linux-foundation.org> Subject: mm/huge_memory.c: rename shadowed local Date: Sun Dec 15 09:44:47 PM PST 2024 split_huge_pages_write() has a lccal `buf' which shadows incoming arg `buf'. Reviewer confusion resulted. Cc: Leo Stone <leocstone@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> --- mm/huge_memory.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/mm/huge_memory.c~mm-huge_memoryc-rename-shadowed-local +++ a/mm/huge_memory.c @@ -4169,20 +4169,21 @@ static ssize_t split_huge_pages_write(st if (input_buf[0] == '/') { char *tok; - char *buf = input_buf; + char *tok_buf = input_buf; char file_path[MAX_INPUT_BUF_SZ]; pgoff_t off_start = 0, off_end = 0; size_t input_len = strlen(input_buf); - tok = strsep(&buf, ","); - if (tok && buf) { + tok = strsep(&tok_buf, ","); + if (tok && tok_buf) { strscpy(file_path, tok); } else { ret = -EINVAL; goto out; } - ret = sscanf(buf, "0x%lx,0x%lx,%d", &off_start, &off_end, &new_order); + ret = sscanf(tok_buf, "0x%lx,0x%lx,%d", &off_start, + &off_end, &new_order); if (ret != 2 && ret != 3) { ret = -EINVAL; goto out;
diff --git a/mm/huge_memory.c b/mm/huge_memory.c index ee335d96fc39..361319f749f0 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -4168,7 +4168,7 @@ static ssize_t split_huge_pages_write(struct file *file, const char __user *buf, size_t input_len = strlen(input_buf); tok = strsep(&buf, ","); - if (tok) { + if (tok && buf) { strscpy(file_path, tok); } else { ret = -EINVAL;
split_huge_pages_write does not handle the case where strsep finds no delimiter in the given string and sets the input buffer to NULL, which allows this reproducer to trigger a protection fault. Reported-by: syzbot+8a3da2f1bbf59227c289@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8a3da2f1bbf59227c289 Signed-off-by: Leo Stone <leocstone@gmail.com> --- mm/huge_memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)