[dm-devel] Possible null pointer dereference in __rh_alloc()
Dongyang Zhan
zdyzztq at gmail.com
Sun May 3 07:02:21 UTC 2020
Hi,
I am a security researcher, my name is Dongyang Zhan. I found a
potential bug in
/drivers/md/dm-region-hash.c in Linux 4.10.17. I hope you can help me
to confirm it.
__rh_alloc() in /drivers/md/dm-region-hash.c mishandles the memory
allocation failures of nreg.
Source code:
struct dm_region *reg, *nreg;
nreg = mempool_alloc(rh->region_pool, GFP_ATOMIC);
if (unlikely(!nreg))
nreg = kmalloc(sizeof(*nreg), GFP_NOIO | __GFP_NOFAIL);
nreg->state = rh->log->type->in_sync(rh->log, region, 1) ?
DM_RH_CLEAN : DM_RH_NOSYNC;
If the statement (nreg = kmalloc(sizeof(*nreg), GFP_NOIO |
__GFP_NOFAIL);) fails,
dereferencing this pointer (nreg->state) will cause null pointer dereference.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/dm-devel/attachments/20200503/9b3bacc7/attachment.htm>
More information about the dm-devel
mailing list