[dm-devel] Possible null pointer dereference in __rh_alloc()
Alasdair G Kergon
agk at redhat.com
Sun May 3 13:38:20 UTC 2020
On Sun, May 03, 2020 at 03:02:21PM +0800, Dongyang Zhan wrote:
> I am a security researcher, my name is Dongyang Zhan. I found a potential bug in
> /drivers/md/dm-region-hash.c in Linux 4.10.17. I hope you can help me to confirm it.
> __rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory allocation failures of nreg.
> Source code:
> struct dm_region *reg, *nreg;
> nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
> if (unlikely(!nreg))
> nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);
> nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
> DM_RH_CLEAN : DM_RH_NOSYNC;
> If the statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);) fails,
> dereferencing this pointer (nreg->state) will cause null pointer dereference.
* %__GFP_NOFAIL: The VM implementation _must_ retry infinitely: the caller
* cannot handle allocation failures. The allocation could block
* indefinitely but will never return with failure. Testing for
* failure is pointless.
Alasdair
More information about the dm-devel
mailing list