lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 18 Feb 2012 10:46:04 -0800 (PST)
From:	Hugh Dickins <hughd@...gle.com>
To:	Holger Macht <holger@...ac.de>
cc:	Hillf Danton <dhillf@...il.com>, Matthew Garrett <mjg@...hat.com>,
	Jeff Garzik <jgarzik@...hat.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: linux-next: dock_link_device is oopsy

On Sat, 18 Feb 2012, Holger Macht wrote:
> How about that one?

It's more broken than that.  Here's my attempt.  It boots on the
systems with dock_station_count 0, and it boots on my laptop with
dock_station_count 2; but I don't actually have any docking station,
so it still doesn't test very much (dock is 0 after the loop).

I have no idea if what goes on in the loop is correct, but it looks
to me as if (as predicted) there's further breakage, that it would
have been writing beyond the end of what it allocated if I did have
a docking station.

Hugh

[PATCH] dock: fix bootup oops and other dock_link breakage

dock_link_device() and dock_unlink_device() should bail out early
to avoid oops on zero-length kmalloc() when dock_station_count is 0.

But isn't there an off-by-one in that kmalloc() length anyway?
An extra NULL appended at the end suggests so.

Rework the ordering with gotos on failure to fix several issues.

And presumably dock_unlink_device() should be presenting the same
interface as dock_link_device(), with NULL returned when none found.

Signed-off-by: Hugh Dickins <hughd@...gle.com>
---

 drivers/acpi/dock.c |   69 +++++++++++++++++++++++++++++-------------
 1 file changed, 49 insertions(+), 20 deletions(-)

--- linux-next/drivers/acpi/dock.c	2012-02-17 08:02:12.280064984 -0800
+++ fixed/drivers/acpi/dock.c	2012-02-18 09:57:54.926244796 -0800
@@ -281,21 +281,25 @@ EXPORT_SYMBOL_GPL(is_dock_device);
  */
 struct device **dock_link_device(acpi_handle handle)
 {
-	struct device *dev = acpi_get_physical_device(handle);
+	struct device *dev;
 	struct dock_station *dock_station;
 	int ret, dock = 0;
 	struct device **devices;
 
-	devices = kmalloc(dock_station_count * sizeof(struct device *),
-			  GFP_KERNEL);
+	if (!dock_station_count)
+		return NULL;
 
-	if (!dev)
+	if (is_dock(handle))
 		return NULL;
 
-	if (is_dock(handle)) {
-		put_device(dev);
+	dev = acpi_get_physical_device(handle);
+	if (!dev)
 		return NULL;
-	}
+
+	devices = kmalloc((dock_station_count + 1) * sizeof(struct device *),
+			  GFP_KERNEL);
+	if (!devices)
+		goto put;
 
 	list_for_each_entry(dock_station, &dock_stations, sibling) {
 		if (find_dock_dependent_device(dock_station, handle)) {
@@ -304,13 +308,23 @@ struct device **dock_link_device(acpi_ha
 			WARN_ON(ret);
 			devices[dock] = &dock_station->dock_device->dev;
 			dock++;
+			if (dock == dock_station_count)
+				goto out;
 		}
 	}
-	if (!dock)
-		put_device(dev);
 
+	if (!dock)
+		goto free;
+out:
+	/* Keep a reference to the device while the link exists */
 	devices[dock] = NULL;
 	return devices;
+
+free:
+	kfree(devices);
+put:
+	put_device(dev);
+	return NULL;
 }
 EXPORT_SYMBOL_GPL(dock_link_device);
 
@@ -320,20 +334,25 @@ EXPORT_SYMBOL_GPL(dock_link_device);
  */
 struct device **dock_unlink_device(acpi_handle handle)
 {
-	struct device *dev = acpi_get_physical_device(handle);
+	struct device *dev;
 	struct dock_station *dock_station;
 	int dock = 0;
-	struct device **devices =
-		kmalloc(dock_station_count * sizeof(struct device *),
-			GFP_KERNEL);
+	struct device **devices;
 
-	if (!dev)
+	if (!dock_station_count)
 		return NULL;
 
-	if (is_dock(handle)) {
-		put_device(dev);
+	if (is_dock(handle))
 		return NULL;
-	}
+
+	dev = acpi_get_physical_device(handle);
+	if (!dev)
+		return NULL;
+
+	devices = kmalloc((dock_station_count + 1) * sizeof(struct device *),
+			  GFP_KERNEL);
+	if (!devices)
+		goto put;
 
 	list_for_each_entry(dock_station, &dock_stations, sibling) {
 		if (find_dock_dependent_device(dock_station, handle)) {
@@ -341,15 +360,25 @@ struct device **dock_unlink_device(acpi_
 					  dev_name(dev));
 			devices[dock] = &dock_station->dock_device->dev;
 			dock++;
+			if (dock == dock_station_count)
+				goto out;
 		}
 	}
-	/* An extra reference has been held while the link existed */
-	if (dock)
-		put_device(dev);
 
+	if (!dock)
+		goto free;
+out:
+	/* An extra reference has been held while the link existed */
+	put_device(dev);
 	put_device(dev);
 	devices[dock] = NULL;
 	return devices;
+
+free:
+	kfree(devices);
+put:
+	put_device(dev);
+	return NULL;
 }
 EXPORT_SYMBOL_GPL(dock_unlink_device);
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ