lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Apr 2008 14:55:22 -0400 From: Trond Myklebust <trond.myklebust@....uio.no> To: Cyrill Gorcunov <gorcunov@...il.com> Cc: bfields@...ldses.org, neilb@...e.de, ibm-acpi@....eng.br, len.brown@...el.com, kkeil@...e.de, akpm@...ux-foundation.org, linux-kernel@...r.kernel.org Subject: Re: [patch 1/3] NFS: fix potential NULL pointer dereference On Wed, 2008-04-16 at 22:13 +0400, Cyrill Gorcunov wrote: > [Trond Myklebust - Wed, Apr 16, 2008 at 02:11:31PM -0400] > | > | On Wed, 2008-04-16 at 21:44 +0400, Cyrill Gorcunov wrote: > | > plain text document attachment (nfs-kstrdup-nul-fix) > | > It's possible to get NULL pointer dereference > | > if kstrndup failed > | > > | > Here is a possible scenario > | > > | > nfs4_get_sb > | > nfs4_validate_mount_data > | > o kstrndup failed so args->nfs_server.export_path = NULL > | > nfs4_create_server > | > nfs4_path_walk(..., NULL) -> Oops! > | > > | > Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com> > | > | Why fix only the one case? What about the other kstrdup/kstrndup cases > | in super.c that appear to be unchecked? > | > | Trond > | > | > --- > | > > | > Index: linux-2.6.git/fs/nfs/super.c > | > =================================================================== > | > --- linux-2.6.git.orig/fs/nfs/super.c 2008-04-15 23:01:30.000000000 +0400 > | > +++ linux-2.6.git/fs/nfs/super.c 2008-04-16 20:01:44.000000000 +0400 > | > @@ -1858,6 +1858,8 @@ static int nfs4_validate_mount_data(void > | > if (len > NFS4_MAXPATHLEN) > | > return -ENAMETOOLONG; > | > args->nfs_server.export_path = kstrndup(c, len, GFP_KERNEL); > | > + if (!args->nfs_server.export_path) > | > + return -ENOMEM; > | > > | > dprintk("NFS: MNTPATH: '%s'\n", args->nfs_server.export_path); > | > > | > > This one is leading to NULL deref, others - don't So? The defensive coding principle is that you perform validity checks when the pointer is created. Otherwise, we could equally well have added the NULL deref check to nfs4_path_walk()... Trond -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists