Message ID | 20200614012001.18468-1-gaurav1086@gmail.com |
---|---|
State | Not Applicable |
Delegated to: | BPF Maintainers |
Headers | show |
Series | Fix null pointer dereference in vector_user_bpf | expand |
On 14/06/2020 02:19, Gaurav Singh wrote: > The bpf_prog is being checked for !NULL after uml_kmalloc > but later its used directly for example: > bpf_prog->filter = bpf and is also later returned upon > success. Fix this, do a NULL check and return right away. > > Signed-off-by: Gaurav Singh <gaurav1086@gmail.com> > --- > arch/um/drivers/vector_user.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/arch/um/drivers/vector_user.c b/arch/um/drivers/vector_user.c > index c4a0f26b2824..0e6d6717bf73 100644 > --- a/arch/um/drivers/vector_user.c > +++ b/arch/um/drivers/vector_user.c > @@ -789,10 +789,12 @@ void *uml_vector_user_bpf(char *filename) > return false; > } > bpf_prog = uml_kmalloc(sizeof(struct sock_fprog), UM_GFP_KERNEL); > - if (bpf_prog != NULL) { > - bpf_prog->len = statbuf.st_size / sizeof(struct sock_filter); > - bpf_prog->filter = NULL; > + if (bpf_prog == NULL) { > + printk(KERN_ERR "Failed to allocate bpf prog buffer"); > + return NULL; > } > + bpf_prog->len = statbuf.st_size / sizeof(struct sock_filter); > + bpf_prog->filter = NULL; > ffd = os_open_file(filename, of_read(OPENFLAGS()), 0); > if (ffd < 0) { > printk(KERN_ERR "Error %d opening bpf file", -errno); > Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
diff --git a/arch/um/drivers/vector_user.c b/arch/um/drivers/vector_user.c index c4a0f26b2824..0e6d6717bf73 100644 --- a/arch/um/drivers/vector_user.c +++ b/arch/um/drivers/vector_user.c @@ -789,10 +789,12 @@ void *uml_vector_user_bpf(char *filename) return false; } bpf_prog = uml_kmalloc(sizeof(struct sock_fprog), UM_GFP_KERNEL); - if (bpf_prog != NULL) { - bpf_prog->len = statbuf.st_size / sizeof(struct sock_filter); - bpf_prog->filter = NULL; + if (bpf_prog == NULL) { + printk(KERN_ERR "Failed to allocate bpf prog buffer"); + return NULL; } + bpf_prog->len = statbuf.st_size / sizeof(struct sock_filter); + bpf_prog->filter = NULL; ffd = os_open_file(filename, of_read(OPENFLAGS()), 0); if (ffd < 0) { printk(KERN_ERR "Error %d opening bpf file", -errno);
The bpf_prog is being checked for !NULL after uml_kmalloc but later its used directly for example: bpf_prog->filter = bpf and is also later returned upon success. Fix this, do a NULL check and return right away. Signed-off-by: Gaurav Singh <gaurav1086@gmail.com> --- arch/um/drivers/vector_user.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)