On Sun, Jul 12, 2020 at 02:36:31PM -0700, Eric Biggers wrote: > On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote: > > qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count` > > equals to zero. Fix it by rejecting zero-length kzalloc() requests. > > > > This patch fixes the following syzbot bug: > > > > > > https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a > > > > Reported-by: syzbot+03e343dbccf82a524...@syzkaller.appspotmail.com > > Signed-off-by: Peilin Ye <yepeilin...@gmail.com> > > --- > > net/qrtr/tun.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c > > index 15ce9b642b25..5465e94ba8e5 100644 > > --- a/net/qrtr/tun.c > > +++ b/net/qrtr/tun.c > > @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, > > struct iov_iter *from) > > ssize_t ret; > > void *kbuf; > > > > + if (!len) > > + return -EINVAL; > > + > > kbuf = kzalloc(len, GFP_KERNEL); > > if (!kbuf) > > return -ENOMEM; > > Wasn't this already fixed by: > > commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 > Author: Dan Carpenter <dan.carpen...@oracle.com> > Date: Tue Jun 30 14:46:15 2020 +0300 > > net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
Yep. If you're using kmalloc() you can allocate a zero byte buffer but you just can't access the array. for (i = 0; i < 0; i++) works. It's interesting because at the time, I wrote the patch I thought "len" probably couldn't be zero but I just checked it for completeness and readability. regards, dan carpenter
