Fix null-pointer deref in SYS_readlink()
authorBarret Rhoden <brho@cs.berkeley.edu>
Tue, 30 Apr 2019 00:44:50 +0000 (20:44 -0400)
committerBarret Rhoden <brho@cs.berkeley.edu>
Tue, 30 Apr 2019 00:48:07 +0000 (20:48 -0400)
We weren't checking the return value, which is NULL when namec() fails
to look up the path.

Incidentally, paths that go through copy_in_path() can be "", at least
under the current code.

Reported-by: syzbot+c9d58a7d1582d003ea18@syzkaller.appspotmail.com
Signed-off-by: Barret Rhoden <brho@cs.berkeley.edu>
kern/src/syscall.c

index a7aba62..4a886b6 100644 (file)
@@ -2042,11 +2042,13 @@ intreg_t sys_readlink(struct proc *p, char *path, size_t path_l,
        ssize_t copy_amt;
        int ret = -1;
        char *t_path = copy_in_path(p, path, path_l);
-       struct dir *dir = NULL;
+       struct dir *dir;
 
        if (t_path == NULL)
                return -1;
        dir = sysdirlstat(t_path);
+       if (!dir)
+               return -1;
        if (!(dir->mode & DMSYMLINK))
                set_error(EINVAL, "not a symlink: %s", t_path);
        else