[Devel] [PATCH rh7] fs/splice: fix NULL-ptr deref in __generic_splice_read()
Andrey Ryabinin
aryabinin at virtuozzo.com
Mon Nov 18 18:37:40 MSK 2019
splice_grow_spd() may reinitialize spd.pages pointer, so the spd.pages
is not necessary points to 'pages' array. So the loop:
while (spd.nr_pages < nr_pages && mapping->i_peer_file) {
page = pick_peer_page(mapping, index, &in->f_ra,
req_pages - spd.nr_pages);
if (!page)
break;
pages[spd.nr_pages++] = page;
index++;
}
might increase spd.nr_pages but do not initialize spd.pages
which might lead to crash later.
Fix this by using spd.pages instead.
https://jira.sw.ru/browse/PSBM-99561
Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
fs/splice.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/splice.c b/fs/splice.c
index a02038eaaaf3..7556a996be7a 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -347,7 +347,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
req_pages - spd.nr_pages);
if (!page)
break;
- pages[spd.nr_pages++] = page;
+ spd.pages[spd.nr_pages++] = page;
index++;
}
--
2.23.0
More information about the Devel
mailing list