lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Apr 2008 00:19:36 +0400 From: "Cyrill Gorcunov" <gorcunov@...il.com> To: "Trond Myklebust" <trond.myklebust@....uio.no> Cc: bfields@...ldses.org, neilb@...e.de, ibm-acpi@....eng.br, len.brown@...el.com, kkeil@...e.de, akpm@...ux-foundation.org, linux-kernel@...r.kernel.org Subject: Re: [patch 1/3] NFS: fix potential NULL pointer dereference Trond, I've just pointed the problem and its solution (which is seems to be a bit ugly, according to the rest nfs coding principle). So if you prefer to have such a check in 'walk_path' function - just say me that. You choose :) Thanks for comments On 4/16/08, Trond Myklebust <trond.myklebust@....uio.no> wrote: > > On Wed, 2008-04-16 at 22:13 +0400, Cyrill Gorcunov wrote: > > [Trond Myklebust - Wed, Apr 16, 2008 at 02:11:31PM -0400] > > | > > | On Wed, 2008-04-16 at 21:44 +0400, Cyrill Gorcunov wrote: > > | > plain text document attachment (nfs-kstrdup-nul-fix) > > | > It's possible to get NULL pointer dereference > > | > if kstrndup failed > > | > > > | > Here is a possible scenario > > | > > > | > nfs4_get_sb > > | > nfs4_validate_mount_data > > | > o kstrndup failed so args->nfs_server.export_path = NULL > > | > nfs4_create_server > > | > nfs4_path_walk(..., NULL) -> Oops! > > | > > > | > Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com> > > | > > | Why fix only the one case? What about the other kstrdup/kstrndup cases > > | in super.c that appear to be unchecked? > > | > > | Trond > > | > > | > --- > > | > > > | > Index: linux-2.6.git/fs/nfs/super.c > > | > =================================================================== > > | > --- linux-2.6.git.orig/fs/nfs/super.c 2008-04-15 23:01:30.000000000 > +0400 > > | > +++ linux-2.6.git/fs/nfs/super.c 2008-04-16 20:01:44.000000000 +0400 > > | > @@ -1858,6 +1858,8 @@ static int nfs4_validate_mount_data(void > > | > if (len > NFS4_MAXPATHLEN) > > | > return -ENAMETOOLONG; > > | > args->nfs_server.export_path = kstrndup(c, len, GFP_KERNEL); > > | > + if (!args->nfs_server.export_path) > > | > + return -ENOMEM; > > | > > > | > dprintk("NFS: MNTPATH: '%s'\n", args->nfs_server.export_path); > > | > > > | > > > > This one is leading to NULL deref, others - don't > > So? The defensive coding principle is that you perform validity checks > when the pointer is created. Otherwise, we could equally well have added > the NULL deref check to nfs4_path_walk()... > > Trond > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists