mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-14 07:44:21 +08:00
0005e01e1e
If z_erofs_gbuf_growsize() partially fails on a global buffer due to
memory allocation failure or fault injection (as reported by syzbot [1]),
new pages need to be freed by comparing to the existing pages to avoid
memory leaks.
However, the old gbuf->pages[] array may not be large enough, which can
lead to null-ptr-deref or out-of-bound access.
Fix this by checking against gbuf->nrpages in advance.
[1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com
Reported-by: syzbot+242ee56aaa9585553766@syzkaller.appspotmail.com
Fixes:
|
||
---|---|---|
.. | ||
compress.h | ||
data.c | ||
decompressor_deflate.c | ||
decompressor_lzma.c | ||
decompressor_zstd.c | ||
decompressor.c | ||
dir.c | ||
erofs_fs.h | ||
fscache.c | ||
inode.c | ||
internal.h | ||
Kconfig | ||
Makefile | ||
namei.c | ||
super.c | ||
sysfs.c | ||
xattr.c | ||
xattr.h | ||
zdata.c | ||
zmap.c | ||
zutil.c |