From nobody Sun Dec 28 21:18:41 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 527A6C4167B for ; Tue, 5 Dec 2023 08:06:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234923AbjLEIG3 (ORCPT ); Tue, 5 Dec 2023 03:06:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346395AbjLEIGG (ORCPT ); Tue, 5 Dec 2023 03:06:06 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72AA6D41; Tue, 5 Dec 2023 00:05:48 -0800 (PST) Received: from localhost.ispras.ru (unknown [10.10.165.7]) by mail.ispras.ru (Postfix) with ESMTPSA id BF7DB40F1DE9; Tue, 5 Dec 2023 08:05:40 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru BF7DB40F1DE9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1701763546; bh=JTEXi8TgIL4mRes1RKwLHstGL+1Ht9ZpBqt+VDl25fI=; h=From:To:Cc:Subject:Date:From; b=ZeGt7KNDwgTR4NzwLFREB5RIzRFIzKzj8J8UY8T9MJ56stiHkXx6ciQse+PccqsEC GysZq/0K7yIzDBSDAsN/QgKIspYqMjWRgsZ1mIa33nFG0HiaJX+g+waEXIPT7atVY5 HmTZUSaAsMxczUfMalOl3hYFHECIm4diML+dyO8k= From: Fedor Pchelkin To: Eric Van Hensbergen Cc: Fedor Pchelkin , Latchesar Ionkov , Dominique Martinet , Christian Schoenebeck , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: [PATCH] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Date: Tue, 5 Dec 2023 11:05:22 +0300 Message-ID: <20231205080524.6635-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If an error occurs while processing an array of strings in p9pdu_vreadf then uninitialized members of *wnames array are freed. Fix this by iterating over only lower indices of the array. Found by Linux Verification Center (linuxtesting.org). Fixes: ace51c4dd2f9 ("9p: add new protocol support code") Signed-off-by: Fedor Pchelkin --- net/9p/protocol.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index 4e3a2a1ffcb3..d33387e74a66 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -393,6 +393,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, c= onst char *fmt, case 'T':{ uint16_t *nwname =3D va_arg(ap, uint16_t *); char ***wnames =3D va_arg(ap, char ***); + int i; =20 errcode =3D p9pdu_readf(pdu, proto_version, "w", nwname); @@ -406,8 +407,6 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, c= onst char *fmt, } =20 if (!errcode) { - int i; - for (i =3D 0; i < *nwname; i++) { errcode =3D p9pdu_readf(pdu, @@ -421,9 +420,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, c= onst char *fmt, =20 if (errcode) { if (*wnames) { - int i; - - for (i =3D 0; i < *nwname; i++) + while (--i >=3D 0) kfree((*wnames)[i]); } kfree(*wnames); --=20 2.43.0