On Sat, Jul 20, 2019 at 07:29:49AM +0800, Yin Fengwei wrote: > syzbot reported general protection fault in kstrtouint: > https://lkml.org/lkml/2019/7/18/328 > > From the log, if the mount option is something like: > fd,XXXXXXXXXXXXXXXXXXXX > > The default parameter (which has NULL param->string) will be > passed to vfs_parse_fs_param. Finally, this NULL param->string > is passed to kstrtouint and trigger NULL pointer access. > > Reported-by: syzbot+398343b7c1b1b9892...@syzkaller.appspotmail.com > Fixes: 71cbb7570a9a ("vfs: Move the subtype parameter into fuse") > > Signed-off-by: Yin Fengwei <nh26223....@gmail.com> > --- > ChangeLog: > v1 -> v2: > - Fix typo in v1 > - Remove braces {} from single statement blocks > > fs/fs_parser.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > index 83b66c9e9a24..7498a44f18c0 100644 > --- a/fs/fs_parser.c > +++ b/fs/fs_parser.c > @@ -206,6 +206,9 @@ int fs_parse(struct fs_context *fc, > case fs_param_is_fd: { > switch (param->type) { > case fs_value_is_string: > + if (!result->has_value) > + goto bad_value; > + > ret = kstrtouint(param->string, 0, &result->uint_32); > break; > case fs_value_is_file: > -- > 2.17.1
Reviewed-by: Eric Biggers <ebigg...@kernel.org> Al, can you please apply this patch? - Eric
