blob: 45e970158a885468b727eb4decabf51a2367afc0 [file] [log] [blame]
From 6b6a7846a6438a747cfe8f1d0aa0f15a513b47f9 Mon Sep 17 00:00:00 2001
From: Jia He <>
Date: Fri, 9 Aug 2019 09:24:56 +0800
Subject: [PATCH] vsprintf: Prevent crash when dereferencing invalid pointers
for %pD
commit 36594b317c656bec8f968db93701d2cb9bc9155c upstream.
Commit 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid
pointers") prevents most crash except for %pD.
There is an additional pointer dereferencing before dentry_name.
At least, vma->file can be NULL and be passed to printk %pD in
print_bad_pte, which can cause crash.
This patch fixes it with introducing a new file_dentry_name.
Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
To: Geert Uytterhoeven <>
To: Thomas Gleixner <>
To: Andy Shevchenko <>
Cc: Kees Cook <>
Cc: "Steven Rostedt (VMware)" <>
Cc: Shuah Khan <>
Cc: "Tobin C. Harding" <>
Signed-off-by: Jia He <>
Reviewed-by: Andy Shevchenko <>
Reviewed-by: Sergey Senozhatsky <>
Signed-off-by: Petr Mladek <>
Signed-off-by: Paul Gortmaker <>
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 977b9f982b38..672b1817e639 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -876,6 +876,15 @@ char *dentry_name(char *buf, char *end, const struct dentry *d, struct printf_sp
return widen_string(buf, n, end, spec);
+static noinline_for_stack
+char *file_dentry_name(char *buf, char *end, const struct file *f,
+ struct printf_spec spec, const char *fmt)
+ if (check_pointer(&buf, end, f, spec))
+ return buf;
+ return dentry_name(buf, end, f->f_path.dentry, spec, fmt);
static noinline_for_stack
char *bdev_name(char *buf, char *end, struct block_device *bdev,
@@ -2173,9 +2182,7 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
case 'C':
return clock(buf, end, ptr, spec, fmt);
case 'D':
- return dentry_name(buf, end,
- ((const struct file *)ptr)->f_path.dentry,
- spec, fmt);
+ return file_dentry_name(buf, end, ptr, spec, fmt);
case 'g':
return bdev_name(buf, end, ptr, spec, fmt);