From patchwork Tue Sep 20 07:26:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Kent X-Patchwork-Id: 12981471 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94928C54EE9 for ; Tue, 20 Sep 2022 07:35:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230054AbiITHfK (ORCPT ); Tue, 20 Sep 2022 03:35:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229916AbiITHfI (ORCPT ); Tue, 20 Sep 2022 03:35:08 -0400 Received: from smtp01.aussiebb.com.au (smtp01.aussiebb.com.au [121.200.0.92]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86A5536869; Tue, 20 Sep 2022 00:35:04 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 3B160100542; Tue, 20 Sep 2022 17:26:24 +1000 (AEST) X-Virus-Scanned: Debian amavisd-new at smtp01.aussiebb.com.au Received: from smtp01.aussiebb.com.au ([127.0.0.1]) by localhost (smtp01.aussiebb.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aO19ypqY0U7b; Tue, 20 Sep 2022 17:26:24 +1000 (AEST) Received: by smtp01.aussiebb.com.au (Postfix, from userid 116) id 31AD51004DE; Tue, 20 Sep 2022 17:26:24 +1000 (AEST) Received: from donald.themaw.net (180-150-90-198.b4965a.per.nbn.aussiebb.net [180.150.90.198]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 9BB5310032C; Tue, 20 Sep 2022 17:26:23 +1000 (AEST) Subject: [REPOST PATCH v3 1/2] ext4: fix possible null pointer dereference From: Ian Kent To: Al Viro Cc: Andrew Morton , Siddhesh Poyarekar , David Howells , Miklos Szeredi , Carlos Maiolino , linux-fsdevel , Kernel Mailing List Date: Tue, 20 Sep 2022 15:26:23 +0800 Message-ID: <166365878336.39016.10934709128005232231.stgit@donald.themaw.net> In-Reply-To: <166365872189.39016.10771273319597352356.stgit@donald.themaw.net> References: <166365872189.39016.10771273319597352356.stgit@donald.themaw.net> User-Agent: StGit/1.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org It could be the case that the file system parameter ->string value is NULL rather than a zero length string. Guard against this possibility in ext4_parse_param(). Reported-by: kernel test robot Signed-off-by: Ian Kent --- fs/ext4/super.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 9a66abcca1a8..9f0ecb25c9a6 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2110,12 +2110,12 @@ static int ext4_parse_param(struct fs_context *fc, struct fs_parameter *param) switch (token) { #ifdef CONFIG_QUOTA case Opt_usrjquota: - if (!*param->string) + if (!param->string || !*param->string) return unnote_qf_name(fc, USRQUOTA); else return note_qf_name(fc, USRQUOTA, param); case Opt_grpjquota: - if (!*param->string) + if (!param->string || !*param->string) return unnote_qf_name(fc, GRPQUOTA); else return note_qf_name(fc, GRPQUOTA, param); From patchwork Tue Sep 20 07:26:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Kent X-Patchwork-Id: 12981470 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8A9DECAAD8 for ; Tue, 20 Sep 2022 07:35:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229950AbiITHfI (ORCPT ); Tue, 20 Sep 2022 03:35:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41570 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229691AbiITHfG (ORCPT ); Tue, 20 Sep 2022 03:35:06 -0400 X-Greylist: delayed 516 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 20 Sep 2022 00:35:04 PDT Received: from smtp01.aussiebb.com.au (smtp01.aussiebb.com.au [IPv6:2403:5800:3:25::1001]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34663356C8; Tue, 20 Sep 2022 00:35:03 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 45182100537; Tue, 20 Sep 2022 17:26:30 +1000 (AEST) X-Virus-Scanned: Debian amavisd-new at smtp01.aussiebb.com.au Received: from smtp01.aussiebb.com.au ([127.0.0.1]) by localhost (smtp01.aussiebb.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ue6JXijPUc58; Tue, 20 Sep 2022 17:26:30 +1000 (AEST) Received: by smtp01.aussiebb.com.au (Postfix, from userid 116) id 3D54E100578; Tue, 20 Sep 2022 17:26:30 +1000 (AEST) Received: from donald.themaw.net (180-150-90-198.b4965a.per.nbn.aussiebb.net [180.150.90.198]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 715931004DE; Tue, 20 Sep 2022 17:26:29 +1000 (AEST) Subject: [REPOST PATCH v3 2/2] vfs: parse: deal with zero length string value From: Ian Kent To: Al Viro Cc: Andrew Morton , Siddhesh Poyarekar , David Howells , Miklos Szeredi , Carlos Maiolino , linux-fsdevel , Kernel Mailing List Date: Tue, 20 Sep 2022 15:26:29 +0800 Message-ID: <166365878918.39016.12757946948158123324.stgit@donald.themaw.net> In-Reply-To: <166365872189.39016.10771273319597352356.stgit@donald.themaw.net> References: <166365872189.39016.10771273319597352356.stgit@donald.themaw.net> User-Agent: StGit/1.1 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Parsing an fs string that has zero length should result in the parameter being set to NULL so that downstream processing handles it correctly. For example, the proc mount table processing should print "(none)" in this case to preserve mount record field count, but if the value points to the NULL string this doesn't happen. Signed-off-by: Ian Kent --- fs/fs_context.c | 17 ++++++++++++----- fs/fs_parser.c | 16 ++++++++++++++++ include/linux/fs_context.h | 3 ++- 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/fs/fs_context.c b/fs/fs_context.c index 24ce12f0db32..df04e5fc6d66 100644 --- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -96,7 +96,9 @@ int vfs_parse_fs_param_source(struct fs_context *fc, struct fs_parameter *param) if (strcmp(param->key, "source") != 0) return -ENOPARAM; - if (param->type != fs_value_is_string) + /* source value may be NULL */ + if (param->type != fs_value_is_string && + param->type != fs_value_is_empty) return invalf(fc, "Non-string source"); if (fc->source) @@ -175,10 +177,15 @@ int vfs_parse_fs_string(struct fs_context *fc, const char *key, }; if (value) { - param.string = kmemdup_nul(value, v_size, GFP_KERNEL); - if (!param.string) - return -ENOMEM; - param.type = fs_value_is_string; + if (!v_size) { + param.string = NULL; + param.type = fs_value_is_empty; + } else { + param.string = kmemdup_nul(value, v_size, GFP_KERNEL); + if (!param.string) + return -ENOMEM; + param.type = fs_value_is_string; + } } ret = vfs_parse_fs_param(fc, ¶m); diff --git a/fs/fs_parser.c b/fs/fs_parser.c index ed40ce5742fd..2046f41ab00b 100644 --- a/fs/fs_parser.c +++ b/fs/fs_parser.c @@ -197,6 +197,8 @@ int fs_param_is_bool(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { int b; + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_string) return fs_param_bad_value(log, param); if (!*param->string && (p->flags & fs_param_can_be_empty)) @@ -213,6 +215,8 @@ int fs_param_is_u32(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { int base = (unsigned long)p->data; + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_string) return fs_param_bad_value(log, param); if (!*param->string && (p->flags & fs_param_can_be_empty)) @@ -226,6 +230,8 @@ EXPORT_SYMBOL(fs_param_is_u32); int fs_param_is_s32(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_string) return fs_param_bad_value(log, param); if (!*param->string && (p->flags & fs_param_can_be_empty)) @@ -239,6 +245,8 @@ EXPORT_SYMBOL(fs_param_is_s32); int fs_param_is_u64(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_string) return fs_param_bad_value(log, param); if (!*param->string && (p->flags & fs_param_can_be_empty)) @@ -253,6 +261,8 @@ int fs_param_is_enum(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { const struct constant_table *c; + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_string) return fs_param_bad_value(log, param); if (!*param->string && (p->flags & fs_param_can_be_empty)) @@ -268,6 +278,8 @@ EXPORT_SYMBOL(fs_param_is_enum); int fs_param_is_string(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_string || (!*param->string && !(p->flags & fs_param_can_be_empty))) return fs_param_bad_value(log, param); @@ -278,6 +290,8 @@ EXPORT_SYMBOL(fs_param_is_string); int fs_param_is_blob(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { + if (param->type == fs_value_is_empty) + return 0; if (param->type != fs_value_is_blob) return fs_param_bad_value(log, param); return 0; @@ -287,6 +301,8 @@ EXPORT_SYMBOL(fs_param_is_blob); int fs_param_is_fd(struct p_log *log, const struct fs_parameter_spec *p, struct fs_parameter *param, struct fs_parse_result *result) { + if (param->type == fs_value_is_empty) + return 0; switch (param->type) { case fs_value_is_string: if ((!*param->string && !(p->flags & fs_param_can_be_empty)) || diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h index 13fa6f3df8e4..ff1375a16c8c 100644 --- a/include/linux/fs_context.h +++ b/include/linux/fs_context.h @@ -50,7 +50,8 @@ enum fs_context_phase { */ enum fs_value_type { fs_value_is_undefined, - fs_value_is_flag, /* Value not given a value */ + fs_value_is_flag, /* Does not take a value */ + fs_value_is_empty, /* Value is not given */ fs_value_is_string, /* Value is a string */ fs_value_is_blob, /* Value is a binary blob */ fs_value_is_filename, /* Value is a filename* + dirfd */