lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20080521203212.ddf05254.akpm@linux-foundation.org>
Date:	Wed, 21 May 2008 20:32:12 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Shi Weihua <shiwh@...fujitsu.com>
Cc:	"Serge E. Hallyn" <serue@...ibm.com>, morgan@...nel.org,
	linux-security-module@...r.kernel.org,
	LKML <linux-kernel@...r.kernel.org>, jmorris@...ei.org,
	ltp-list@...ts.sourceforge.net
Subject: Re: [PATCH] fix sys_prctl() returned uninitialized value

On Thu, 22 May 2008 11:19:21 +0800 Shi Weihua <shiwh@...fujitsu.com> wrote:

> When we test kernel by the latest LTP(20080430) on ia64,
> the following failure occured:
> -------------------------------------
> prctl01     1  PASS  :  Test Passed
> prctl01     0  WARN  :  prctl() returned 2048 errno = 0 : Success
> prctl01     1  PASS  :  Test Passed
> prctl01     2  FAIL  :  Test Failed
> -------------------------------------
> 
> We found commit 3898b1b4ebff8dcfbcf1807e0661585e06c9a91c
> causes this failure by git-bisect.
> And, we found 'error' has not been initialized in the function 
> sys_prctl()(kernel/sys.c). When the capability module is not taking
> responsibility for this call, sys_prctl() may return a wrong value.
> 
> Now, i fixed it.
> 
> Signed-off-by: Shi Weihua <shiwh@...fujitsu.com> 
> ---
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 895d2d4..26eb0f7 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -1652,7 +1652,7 @@ asmlinkage long sys_umask(int mask)
>  asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
>  			  unsigned long arg4, unsigned long arg5)
>  {
> -	long uninitialized_var(error);
> +	long error = 0;
>  
>  	if (security_task_prctl(option, arg2, arg3, arg4, arg5, &error))
>  		return error;

Oh dear, there are so many things wrong with this...

- if security_task_prctl() is returning "fail" then why on earth
  isn't it setting the error code?

- cap_task_prctl() _does_ set `error' is if returns non-zero, so it
  must be one of the other myriad backend implementations of
  security_task_prctl() which is busted.  Which one is it?

- With the above patch applied, sys_prctl() will return zero (ie:
  "success") even though it just failed.

- Can't we remove the sixth argument to security_task_prctl() and
  just return the result code like a sane function would do?  
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ