diff options
author | Christoph Hellwig <hch@lst.de> | 2020-07-10 10:57:22 +0200 |
---|---|---|
committer | Dominique Martinet <asmadeus@codewreck.org> | 2020-07-19 14:58:29 +0200 |
commit | a39c46067c845a8a2d7144836e9468b7f072343e (patch) | |
tree | 3a1695a936e75161787df3a635ef3f474d5a7b83 | |
parent | 11ba468877bb23f28956a35e896356252d63c983 (diff) |
net/9p: validate fds in p9_fd_open
p9_fd_open just fgets file descriptors passed in from userspace, but
doesn't verify that they are valid for read or writing. This gets
cought down in the VFS when actually attempting a read or write, but
a new warning added in linux-next upsets syzcaller.
Fix this by just verifying the fds early on.
Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de
Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com
Signed-off-by: Christoph Hellwig <hch@lst.de>
[Dominique: amend goto as per Doug Nazar's review]
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
-rw-r--r-- | net/9p/trans_fd.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 13cd683a658a..9c9196d30a59 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -803,20 +803,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) return -ENOMEM; ts->rd = fget(rfd); + if (!ts->rd) + goto out_free_ts; + if (!(ts->rd->f_mode & FMODE_READ)) + goto out_put_rd; ts->wr = fget(wfd); - if (!ts->rd || !ts->wr) { - if (ts->rd) - fput(ts->rd); - if (ts->wr) - fput(ts->wr); - kfree(ts); - return -EIO; - } + if (!ts->wr) + goto out_put_rd; + if (!(ts->wr->f_mode & FMODE_WRITE)) + goto out_put_wr; client->trans = ts; client->status = Connected; return 0; + +out_put_wr: + fput(ts->wr); +out_put_rd: + fput(ts->rd); +out_free_ts: + kfree(ts); + return -EIO; } static int p9_socket_open(struct p9_client *client, struct socket *csocket) |