[PATCH] kernfs: Add check for NULL pointer before writing to it.

From: Ashish Mhetre
Date: Tue Nov 20 2018 - 03:39:06 EST

Next message: Paul Menzel: "Realtek NIC uses over 1 Watt with no traffic"
Previous message: Benjamin Gaignard: "Re: [PATCH 2/3] pinctrl: stm32: protect configuration registers with a hwspinlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bo Yan <byan@xxxxxxxxxx>

The strlcpy function returns the length of source pointer when the
requested size is 0. This behavior is relied upon for sched tracing.
We can't simply return when buf is 0, but we have to protect against the
scenario when buf is 0 and requested size is non-zero, in which case the
strlcpy would lead to illegal memory access.
This issue is reported by coverity as strlcpy might end up using a NULL
buffer and non-zero buf_length value.
To avoid this, add check and return -EINVAL in this case.

Signed-off-by: Bo Yan <byan@xxxxxxxxxx>
Signed-off-by: Ashish Mhetre <amhetre@xxxxxxxxxx>
---
fs/kernfs/dir.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index 4ca0b5c..76c85a5 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -129,6 +129,9 @@ static int kernfs_path_from_node_locked(struct kernfs_node *kn_to,
size_t depth_from, depth_to, len = 0;
int i, j;

+ if (WARN_ON(!buf && buflen > 0))
+ return -EINVAL;
+
if (!kn_to)
return strlcpy(buf, "(null)", buflen);

--
2.7.4

Next message: Paul Menzel: "Realtek NIC uses over 1 Watt with no traffic"
Previous message: Benjamin Gaignard: "Re: [PATCH 2/3] pinctrl: stm32: protect configuration registers with a hwspinlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]