| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Apr 2008 00:19:36 +0400
From: "Cyrill Gorcunov" <gorcunov@...il.com>
To: "Trond Myklebust" <trond.myklebust@....uio.no>
Cc: bfields@...ldses.org, neilb@...e.de, ibm-acpi@....eng.br,
len.brown@...el.com, kkeil@...e.de, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [patch 1/3] NFS: fix potential NULL pointer dereference
Trond, I've just pointed the problem and its solution (which is seems
to be a bit ugly, according to the rest nfs coding principle). So if
you prefer to have such a check in 'walk_path' function - just say me
that. You choose :) Thanks for comments
On 4/16/08, Trond Myklebust <trond.myklebust@....uio.no> wrote:
>
> On Wed, 2008-04-16 at 22:13 +0400, Cyrill Gorcunov wrote:
> > [Trond Myklebust - Wed, Apr 16, 2008 at 02:11:31PM -0400]
> > |
> > | On Wed, 2008-04-16 at 21:44 +0400, Cyrill Gorcunov wrote:
> > | > plain text document attachment (nfs-kstrdup-nul-fix)
> > | > It's possible to get NULL pointer dereference
> > | > if kstrndup failed
> > | >
> > | > Here is a possible scenario
> > | >
> > | > nfs4_get_sb
> > | > nfs4_validate_mount_data
> > | > o kstrndup failed so args->nfs_server.export_path = NULL
> > | > nfs4_create_server
> > | > nfs4_path_walk(..., NULL) -> Oops!
> > | >
> > | > Signed-off-by: Cyrill Gorcunov <gorcunov@...il.com>
> > |
> > | Why fix only the one case? What about the other kstrdup/kstrndup cases
> > | in super.c that appear to be unchecked?
> > |
> > | Trond
> > |
> > | > ---
> > | >
> > | > Index: linux-2.6.git/fs/nfs/super.c
> > | > ===================================================================
> > | > --- linux-2.6.git.orig/fs/nfs/super.c 2008-04-15 23:01:30.000000000
> +0400
> > | > +++ linux-2.6.git/fs/nfs/super.c 2008-04-16 20:01:44.000000000 +0400
> > | > @@ -1858,6 +1858,8 @@ static int nfs4_validate_mount_data(void
> > | > if (len > NFS4_MAXPATHLEN)
> > | > return -ENAMETOOLONG;
> > | > args->nfs_server.export_path = kstrndup(c, len, GFP_KERNEL);
> > | > + if (!args->nfs_server.export_path)
> > | > + return -ENOMEM;
> > | >
> > | > dprintk("NFS: MNTPATH: '%s'\n", args->nfs_server.export_path);
> > | >
> > |
> >
> > This one is leading to NULL deref, others - don't
>
> So? The defensive coding principle is that you perform validity checks
> when the pointer is created. Otherwise, we could equally well have added
> the NULL deref check to nfs4_path_walk()...
>
> Trond
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists