[RHEL7,COMMIT] fs/splice: fix NULL-ptr deref in __generic_splice_read()

Submitted by Konstantin Khorenko on Nov. 19, 2019, 4:28 p.m.

Details

Message ID 201911191628.xAJGSdRE030771@finist-ce7.sw.ru
State New
Series "fs/splice: fix NULL-ptr deref in __generic_splice_read()"
Headers show

Commit Message

Konstantin Khorenko Nov. 19, 2019, 4:28 p.m.
The commit is pushed to "branch-rh7-3.10.0-1062.4.2.vz7.116.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1062.4.2.vz7.116.3
------>
commit 0a91a3aa52e56fec4e6a4d5178ae36939a24c4bf
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Tue Nov 19 19:28:39 2019 +0300

    fs/splice: fix NULL-ptr deref in __generic_splice_read()
    
    splice_grow_spd() may reinitialize spd.pages pointer, so the spd.pages
    is not necessary points to 'pages' array. So the loop:
    
            while (spd.nr_pages < nr_pages && mapping->i_peer_file) {
                    page = pick_peer_page(mapping, index, &in->f_ra,
                                          req_pages - spd.nr_pages);
                    if (!page)
                            break;
                    pages[spd.nr_pages++] = page;
                    index++;
            }
    
    might increase spd.nr_pages but do not initialize spd.pages
    which might lead to crash later.
    
    Fix this by using spd.pages instead.
    
    https://jira.sw.ru/browse/PSBM-99561
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    
    khorenko@: this is a part of ms commit 35f3d14dbbc5 ("pipe: add support for
    shrinking and growing pipes")
    Fixes: 9d0a46d0bd06 ("pfcache: add generic mapping peers")
---
 fs/splice.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/splice.c b/fs/splice.c
index a02038eaaaf3..7556a996be7a 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -347,7 +347,7 @@  __generic_file_splice_read(struct file *in, loff_t *ppos,
 				      req_pages - spd.nr_pages);
 		if (!page)
 			break;
-		pages[spd.nr_pages++] = page;
+		spd.pages[spd.nr_pages++] = page;
 		index++;
 	}