Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/fs
History
YueHaibing d7f469f4a6 fs/proc/proc_sysctl.c: Fix a NULL pointer dereference 
commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream.

Syzkaller report this:

  sysctl could not get directory: /net//bridge -12
  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN PTI
  CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
  RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
  RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
  RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
  RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
  Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
  RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
  RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
  RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
  RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
  R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
  FS:  00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  PKRU: 55555554
  Call Trace:
   erase_entry fs/proc/proc_sysctl.c:178 [inline]
   erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
   start_unregistering fs/proc/proc_sysctl.c:331 [inline]
   drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
   get_subdir fs/proc/proc_sysctl.c:1022 [inline]
   __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
   br_netfilter_init+0x68/0x1000 [br_netfilter]
   do_one_initcall+0xbc/0x47d init/main.c:901
   do_init_module+0x1b5/0x547 kernel/module.c:3456
   load_module+0x6405/0x8c10 kernel/module.c:3804
   __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
   do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
   entry_SYSCALL_64_after_hwframe+0x49/0xbe
  Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
   iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
  Dumping ftrace buffer:
     (ftrace buffer empty)
  ---[ end trace 68741688d5fbfe85 ]---

commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer
dereference in put_links") forgot to handle start_unregistering() case,
while header->parent is NULL, it calls erase_header() and as seen in the
above syzkaller call trace, accessing &header->parent->root will trigger
a NULL pointer dereference.

As that commit explained, there is also no need to call
start_unregistering() if header->parent is NULL.

Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
Fixes: 0e47c99d7f ("sysctl: Replace root_list with links between sysctl_table_sets")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2019-07-27 22:10:40 +02:00
..
9p Merge tag 'LA.BR.1.3.6-03910-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2017-05-26 13:28:48 +02:00
adfs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
affs This is the 3.10.84 stable release 2015-09-30 13:25:40 +05:30
afs
autofs4 move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:34:00 +02:00
befs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
bfs
btrfs Merge tag 'LA.BR.1.3.6-03910-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2017-05-26 13:28:48 +02:00
cachefiles cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) 2019-07-27 21:52:39 +02:00
ceph move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:34:00 +02:00
cifs This is the 3.10.102 stable release 2017-04-18 17:22:08 +02:00
coda convert coda 2019-07-27 22:09:20 +02:00
configfs
cramfs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
crypto fscrypt: remove broken support for detecting keyring key revocation 2019-07-27 21:51:53 +02:00
debugfs treewide: Fix typo in Documentation/DocBook 2019-07-27 22:10:20 +02:00
devpts This is the 3.10.98 stable release 2017-04-18 17:17:24 +02:00
dlm
ecryptfs eCryptfs: use after free in ecryptfs_release_messaging() 2019-07-27 21:51:50 +02:00
efivarfs efi: Make efivarfs entries immutable by default 2016-03-16 08:41:37 -07:00
efs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
exfat Import latest Samsung release 2017-04-18 03:43:52 +02:00
exofs
exportfs This is the 3.10.84 stable release 2015-09-30 13:25:40 +05:30
ext2 it's still short a few helpers, but infrastructure should be OK now... 2018-12-03 11:52:03 +01:00
ext3 posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
ext4 ext4: report real fs size after failed resize 2019-07-27 22:10:07 +02:00
f2fs f2fs: move dir data flush to write checkpoint process 2019-07-27 22:06:03 +02:00
fat fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() 2019-07-27 21:52:38 +02:00
freevxfs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
fscache FS-Cache: fix dereference of NULL user_key_payload 2019-07-27 21:44:20 +02:00
fuse fuse: handle zero sized retrieve correctly 2019-07-27 22:06:05 +02:00
gfs2 posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
hfs Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
hfsplus Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
hostfs uml: fix hostfs mknod() 2016-03-03 15:06:23 -08:00
hpfs Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
hppfs
hugetlbfs mm: larger stack guard gap, between vmas 2017-07-11 00:00:39 +00:00
isofs isofs: fix timestamps beyond 2027 2019-07-27 21:46:04 +02:00
jbd
jbd2 jbd2: if the journal is aborted then don't allow update of the log tail 2019-07-27 21:52:00 +02:00
jffs2 Merge tag 'LA.BR.1.3.6-03910-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2017-05-26 13:28:48 +02:00
jfs posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
lockd lockd: create NSM handles per net namespace 2016-03-03 15:06:20 -08:00
logfs
minix it's still short a few helpers, but infrastructure should be OK now... 2018-12-03 11:52:03 +01:00
ncpfs This is the 3.10.84 stable release 2015-09-30 13:25:40 +05:30
nfs This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
nfs_common
nfsd nfsd: auth: Fix gid sorting when rootsquash enabled 2019-07-27 21:46:18 +02:00
nilfs2 This is the 3.10.84 stable release 2015-09-30 13:25:40 +05:30
nls
notify fanotify: fix logic of events on child 2019-07-27 21:52:17 +02:00
ntfs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
ocfs2 posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
omfs fs, omfs: add NULL terminator in the end up the token list 2015-06-05 23:19:54 -07:00
openpromfs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
proc fs/proc/proc_sysctl.c: Fix a NULL pointer dereference 2019-07-27 22:10:40 +02:00
pstore pstore/ram: Do not treat empty buffers as valid 2019-07-27 21:53:37 +02:00
qnx4 fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
qnx6 fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
quota
ramfs
reiserfs posix_acl: Clear SGID bit when setting file permissions 2017-04-28 00:00:11 -07:00
romfs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
sdcardfs ANDROID: sdcardfs: Add option to not link obb 2019-07-27 21:53:28 +02:00
sdfat sdfat: Capitalize config options 2019-07-27 22:08:28 +02:00
squashfs Squashfs: Add LZ4 compression configuration option 2015-09-16 18:20:12 +05:30
sysfs Import latest Samsung release 2017-04-18 03:43:52 +02:00
sysv This is the 3.10.97 stable release 2017-04-18 17:17:20 +02:00
ubifs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
udf This is the 3.10.98 stable release 2017-04-18 17:17:24 +02:00
ufs fs: push sync_filesystem() down to the file system's remount_fs() 2015-09-16 18:20:11 +05:30
xfs posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
yaffs2
Kconfig Initial port of sdcardfs 2018-02-06 13:12:17 +01:00
Kconfig.binfmt
Makefile Initial port of sdcardfs 2018-02-06 13:12:17 +01:00
aio.c fix io_destroy()/aio_complete() race 2019-07-27 21:49:38 +02:00
anon_inodes.c
attr.c vfs: Add setattr2 for filesystems with per mount permissions 2018-02-06 13:12:20 +01:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c binfmt_elf: Fix missing SIGKILL for empty PIE 2019-07-27 22:10:24 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c fs/binfmt_misc.c: do not allow offset overflow 2019-07-27 21:52:50 +02:00
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c block: do not leak memory in bio_copy_user_iov() 2019-07-27 22:10:06 +02:00
block_dev.c block: protect iterate_bdevs() against concurrent close 2019-07-27 21:42:54 +02:00
buffer.c treewide: Fix typo in Documentation/DocBook 2019-07-27 22:10:20 +02:00
char_dev.c
compat.c constify ->actor 2015-09-16 18:20:09 +05:30
compat_binfmt_elf.c
compat_ioctl.c
coredump.c coredump: fix unfreezable coredumping task 2019-07-27 21:42:15 +02:00
coredump.h
dcache.c fs: take_dentry_name_snapshot: avoid kfree under spinlock fixup 2019-07-27 21:45:27 +02:00
dcookies.c
direct-io.c direct-io: Prevent NULL pointer access in submit_page_section 2019-07-27 21:44:19 +02:00
drop_caches.c Import latest Samsung release 2017-04-18 03:43:52 +02:00
eventfd.c
eventpoll.c fs/epoll: drop ovflist branch prediction 2019-07-27 22:06:04 +02:00
exec.c fs/exec.c:de_thread(): use change_pid() rather than detach_pid/attach_pid 2019-07-27 22:10:32 +02:00
fcntl.c vfs: add missing check for __O_TMPFILE in fcntl_init() 2018-12-03 11:52:41 +01:00
fhandle.c vfs: read file_handle only once in handle_to_path. 2015-07-22 07:25:30 -07:00
file.c
file_table.c get rid of s_files and files_lock 2015-07-03 19:48:08 -07:00
filesystems.c
fs-writeback.c bdi: Fix oops in wb_workfn() 2019-07-27 21:52:12 +02:00
fs_struct.c sdcardfs: override umask on mkdir and create 2018-02-06 13:12:18 +01:00
generic_acl.c tmpfs: clear S_ISGID when setting posix ACLs 2017-04-22 23:02:57 +02:00
inode.c Fix up non-directory creation in SGID directories 2019-07-27 21:51:41 +02:00
internal.h allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
ioctl.c
ioprio.c block: fix use-after-free in sys_ioprio_get() 2016-11-19 20:01:20 -08:00
libfs.c move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:34:00 +02:00
locks.c locks: fix locks_mandatory_locked to respect file-private locks 2019-07-27 22:08:10 +02:00
mbcache.c
mount.h
mpage.c
namei.c allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
namespace.c Don't leak MNT_INTERNAL away from internal mounts 2019-07-27 21:52:13 +02:00
no-block.c
open.c allow build_open_flags() to return an error 2019-07-27 22:08:22 +02:00
pipe.c pipe: read buffer limits atomically 2019-07-27 21:49:46 +02:00
pnode.c BACKPORT: smarter propagate_mnt() 2019-07-27 21:51:52 +02:00
pnode.h BACKPORT: smarter propagate_mnt() 2019-07-27 21:51:52 +02:00
posix_acl.c posix_acl: Clear SGID bit when setting file permissions 2019-07-27 21:42:52 +02:00
proc_namespace.c vfs: Allow filesystems to access their private mount data 2018-02-06 13:12:19 +01:00
read_write.c fs: Workaround the compiler's bad optimization 2016-02-04 13:23:34 +05:30
readdir.c fs: readdir: Fix su hide patch for non-iterate filesystems 2017-07-14 21:04:43 +02:00
select.c
seq_file.c Make file credentials available to the seqfile interfaces 2019-07-27 22:05:58 +02:00
signalfd.c signalfd: fix information leak in signalfd_copyinfo 2015-08-16 20:51:42 -07:00
splice.c vfs: fix uninitialized flags in splice_to_pipe() 2019-07-27 21:43:53 +02:00
stack.c
stat.c
statfs.c
super.c vfs: Allow filesystems to access their private mount data 2018-02-06 13:12:19 +01:00
sync.c Import T813XXS2BRC2 kernel source changes 2018-05-26 00:39:42 +02:00
timerfd.c timerfd: Protect the might cancel mechanism proper 2017-11-08 05:33:07 -08:00
utimes.c vfs: Add setattr2 for filesystems with per mount permissions 2018-02-06 13:12:20 +01:00
xattr.c getxattr: use correct xattr length 2019-07-27 21:51:26 +02:00
xattr_acl.c