lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 26 Jan 2017 14:32:51 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Ursula Braun <ubraun@...ux.vnet.ibm.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        linux-s390@...r.kernel.org, netdev@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [patch net-next] smc: some potential use after free bugs

On Thu, Jan 26, 2017 at 12:23:02PM +0100, Ursula Braun wrote:
> 
> On 01/26/2017 10:05 AM, Dan Carpenter wrote:
> > Say we got really unlucky and these failed on the last iteration, then
> > it could lead to a use after free bug.
> thanks for reporting this! I had already a similar patch prepared, but not
> yet submitted. It contains all your added lines plus these additional
> pre-initializations at definition time:
> 
> @@ -509,7 +509,7 @@ int smc_sndbuf_create(struct smc_sock *smc)
>         struct smc_connection *conn = &smc->conn;
>         struct smc_link_group *lgr = conn->lgr;
>         int tmp_bufsize, tmp_bufsize_short;
> -   struct smc_buf_desc *sndbuf_desc;
> + struct smc_buf_desc *sndbuf_desc = NULL;
>         int rc;
>  
>         /* use socket send buffer size (w/o overhead) as start value */
> 
> @@ -573,7 +575,7 @@ int smc_rmb_create(struct smc_sock *smc)
>         struct smc_connection *conn = &smc->conn;
>         struct smc_link_group *lgr = conn->lgr;
>         int tmp_bufsize, tmp_bufsize_short;
> -   struct smc_buf_desc *rmb_desc;
> + struct smc_buf_desc *rmb_desc = NULL;
>         int rc;
>  
>         /* use socket recv buffer size (w/o overhead) as start value */
> 
> If you do not contradict, I will post my enhanced patch version.

Those are obviously harmless changes...

My static checker knows those aren't required so it doesn't complain
about uninitialized variables.  But not all static analysis tools are as
clever.  ;)

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ