lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 19 Dec 2017 01:34:21 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Alexei Starovoitov <ast@...com>,
        Alexei Starovoitov <ast@...nel.org>,
        "David S . Miller" <davem@...emloft.net>
Cc:     Arnd Bergmann <arnd@...db.de>, netdev@...r.kernel.org,
        kernel-team@...com
Subject: Re: [PATCH bpf-next] bpf: arm64: fix uninitialized variable

On 12/18/2017 07:36 PM, Alexei Starovoitov wrote:
> On 12/18/17 10:19 AM, Daniel Borkmann wrote:
>> On 12/18/2017 07:09 PM, Alexei Starovoitov wrote:
>>> From: Alexei Starovoitov <ast@...com>
>>>
>>> fix the following issue:
>>> arch/arm64/net/bpf_jit_comp.c: In function 'bpf_int_jit_compile':
>>> arch/arm64/net/bpf_jit_comp.c:982:18: error: 'image_size' may be used
>>> uninitialized in this function [-Werror=maybe-uninitialized]
>>>
>>> Fixes: db496944fdaa ("bpf: arm64: add JIT support for multi-function programs")
>>> Reported-by: Arnd Bergmann <arnd@...db.de>
>>> Signed-off-by: Alexei Starovoitov <ast@...nel.org>
>>> ---
>>>  arch/arm64/net/bpf_jit_comp.c | 1 +
>>>  1 file changed, 1 insertion(+)
>>>
>>> diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
>>> index 396490cf7316..acaa935ed977 100644
>>> --- a/arch/arm64/net/bpf_jit_comp.c
>>> +++ b/arch/arm64/net/bpf_jit_comp.c
>>> @@ -897,6 +897,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
>>>          image_ptr = jit_data->image;
>>>          header = jit_data->header;
>>>          extra_pass = true;
>>> +        image_size = sizeof(u32) * ctx.idx;
>>>          goto skip_init_ctx;
>>>      }
>>>      memset(&ctx, 0, sizeof(ctx));
>>
>> I don't really mind, but it feels more complex than it needs to be
>> imho, since in the initial pass you fetch 'image_size' in fake pass
>> from ctx.idx, then we set ctx.idx to 0 again, do another pass and
>> use the cached ctx.idx from that second pass instead of the first
>> one where we set 'image_size' originally, so we definitely need to
>> take that into consideration in future reviews at least.
> 
> not sure what you mean.
> This check: ctx.idx != jit_data->ctx.idx matters the most.
> After first alloc the 'image_size' variable used for dumping only.
> That's why the JITing itself worked fine. We could have removed it
> since it's computable from idx, but imo it's fine this way.

Fair enough, given final ctx.idx value must be guaranteed to never change
in future between pass#1 and pass#2 from the first bpf_int_jit_compile()
run, then lets go with this smaller version; applied to bpf-next, thanks
Alexei!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ