mirror of
https://github.com/hardkernel/linux.git
synced 2026-06-05 18:41:58 +09:00
UPSTREAM: erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails
If z_erofs_gbuf_growsize() partially fails on a global buffer due to memory allocation failure or fault injection (as reported by syzbot [1]), new pages need to be freed by comparing to the existing pages to avoid memory leaks. However, the old gbuf->pages[] array may not be large enough, which can lead to null-ptr-deref or out-of-bound access. Fix this by checking against gbuf->nrpages in advance. [1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com Bug: 361157912 Reported-by: syzbot+242ee56aaa9585553766@syzkaller.appspotmail.com Fixes: d6db47e571dc ("erofs: do not use pagepool in z_erofs_gbuf_growsize()") Cc: <stable@vger.kernel.org> # 6.10+ Reviewed-by: Chunhai Guo <guochunhai@vivo.com> Reviewed-by: Sandeep Dhavale <dhavale@google.com> Change-Id: I5d6c8f63959db4a7e5bbf14da9b4c9ba04322c8c Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Link: https://lore.kernel.org/r/20240820085619.1375963-1-hsiangkao@linux.alibaba.com (cherry picked from commit 0005e01e1e875c5e27130c5e2ed0189749d1e08a) Signed-off-by: Sandeep Dhavale <dhavale@google.com>
This commit is contained in:
Gao Xiang
committed by
Sandeep Dhavale
Sandeep Dhavale
parent
7c5c6b6397
commit
8a0fa49a77
@@ -111,7 +111,8 @@ int z_erofs_gbuf_growsize(unsigned int nrpages)
|
|||||||
out:
|
out:
|
||||||
if (i < z_erofs_gbuf_count && tmp_pages) {
|
if (i < z_erofs_gbuf_count && tmp_pages) {
|
||||||
for (j = 0; j < nrpages; ++j)
|
for (j = 0; j < nrpages; ++j)
|
||||||
if (tmp_pages[j] && tmp_pages[j] != gbuf->pages[j])
|
if (tmp_pages[j] && (j >= gbuf->nrpages ||
|
||||||
|
tmp_pages[j] != gbuf->pages[j]))
|
||||||
__free_page(tmp_pages[j]);
|
__free_page(tmp_pages[j]);
|
||||||
kfree(tmp_pages);
|
kfree(tmp_pages);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user