diff options
| author | Jia He <[email protected]> | 2019-08-09 09:24:56 +0800 |
|---|---|---|
| committer | Petr Mladek <[email protected]> | 2019-08-15 16:40:10 +0200 |
| commit | 36594b317c656bec8f968db93701d2cb9bc9155c (patch) | |
| tree | 4cebb6b88c3d8f37dc076b8bd219ec03f21f974f | |
| parent | 7011b7e1b702cc76f9e969b41d9a95969f2aecaa (diff) | |
vsprintf: Prevent crash when dereferencing invalid pointers for %pD
Commit 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid
pointers") prevents most crash except for %pD.
There is an additional pointer dereferencing before dentry_name.
At least, vma->file can be NULL and be passed to printk %pD in
print_bad_pte, which can cause crash.
This patch fixes it with introducing a new file_dentry_name.
Link: http://lkml.kernel.org/r/[email protected]
Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
To: Geert Uytterhoeven <[email protected]>
To: Thomas Gleixner <[email protected]>
To: Andy Shevchenko <[email protected]>
To: [email protected]
Cc: Kees Cook <[email protected]>
Cc: "Steven Rostedt (VMware)" <[email protected]>
Cc: Shuah Khan <[email protected]>
Cc: "Tobin C. Harding" <[email protected]>
Signed-off-by: Jia He <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
Reviewed-by: Sergey Senozhatsky <[email protected]>
Signed-off-by: Petr Mladek <[email protected]>
| -rw-r--r-- | lib/vsprintf.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/lib/vsprintf.c b/lib/vsprintf.c index b0967cf17137..e78017a3e1bd 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -869,6 +869,15 @@ char *dentry_name(char *buf, char *end, const struct dentry *d, struct printf_sp return widen_string(buf, n, end, spec); } +static noinline_for_stack +char *file_dentry_name(char *buf, char *end, const struct file *f, + struct printf_spec spec, const char *fmt) +{ + if (check_pointer(&buf, end, f, spec)) + return buf; + + return dentry_name(buf, end, f->f_path.dentry, spec, fmt); +} #ifdef CONFIG_BLOCK static noinline_for_stack char *bdev_name(char *buf, char *end, struct block_device *bdev, @@ -2166,9 +2175,7 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, case 'C': return clock(buf, end, ptr, spec, fmt); case 'D': - return dentry_name(buf, end, - ((const struct file *)ptr)->f_path.dentry, - spec, fmt); + return file_dentry_name(buf, end, ptr, spec, fmt); #ifdef CONFIG_BLOCK case 'g': return bdev_name(buf, end, ptr, spec, fmt); |