+5
−0
Loading
cifs: Prevent NULL pointer dereference caused by cifs_sb->rsize is 0
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBO3FG CVE: NA -------------------------------- When cifs_sb->rsize is 0, cifs_send_async_read() fails to allocate the pages array using iov_iter_get_pages_alloc(), resulting in data->pages being NULL. This eventually triggers a NULL pointer dereference in the callback function uncached_fill_pages(). cifs_sb->rsize is set to the minimum value between SMB3_DEFAULT_IOSIZE and server->max_read. SMB3_DEFAULT_IOSIZE is 4MB. There are two reasons that cause cifs_sb->rsize to be 0: 1. During the negotiation process, if the server returns an rsp->MaxReadSize of 0, server->max_read is assigned 0. And the calculated value of cifs_sb->rsize becomes 0. 2. In the cifsd thread, if cifs_reconnect() is invoked, server->max_read is set to 0. Prior to the completion of the reconnection process, the calculated value of cifs_sb->rsize becomes 0. It is important to note that cifs_sb->rsize is only set to 0 during the mount phase. Therefore, a straightforward approach to prevent potential NULL pointer dereferences in the future is to implement a check for cifs_sb->rsize during the mount stage. If the value is found to be 0, the mount process should exit early to avoid any subsequent NULL pointer dereferences. Fixes: aa24d1e9 ("CIFS: Process reconnects for SMB2 shares") Signed-off-by:Wang Zhaolong <wangzhaolong1@huawei.com>