发件人: Dongyang Zhan <zdyz...@gmail.com> Date: 2020年5月3日周日 下午1:45 Subject: Possible null pointer dereference caused by vmstat_start() To: <fenghua...@intel.com> Cc: <linux-kernel@vger.kernel.org>
In Linux 4.10.17, vmstat_start() stores the results of v = kmalloc(stat_items_size, GFP_KERNEL) in m->private = v before security check. If m->private is accessed, it may cause null pointer dereference. Source code link: https://elixir.bootlin.com/linux/v4.10.17/source/mm/vmstat.c#L1465 Source code; v = kmalloc(stat_items_size, GFP_KERNEL); m->private = v; //stores v before check; if (!v) return ERR_PTR(-ENOMEM); Function rdtgroup_seqfile_show() in arch/x86/kernel/cpu/intel_rdt_rdtgroup.c access this pointer without check, which is a possible bug. Link: https://elixir.bootlin.com/linux/v4.10.17/source/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c#150 Source Code static int rdtgroup_seqfile_show(struct seq_file *m, void *arg) { struct kernfs_open_file *of = m->private; struct rftype *rft = of->kn->priv; // without check; if (rft->seq_show) return rft->seq_show(of, m, arg); return 0; }