| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 May 2009 09:24:12 +0900 From: Hiroshi Shimamoto <h-shimamoto@...jp.nec.com> To: "H. Peter Anvin" <hpa@...or.com> CC: Ingo Molnar <mingo@...e.hu>, Subrata Modak <subrata@...ux.vnet.ibm.com>, x86@...nel.org, Sachin P Sant <sachinp@...ux.vnet.ibm.com>, Andi Kleen <andi@...stfloor.org>, Andi Kleen <ak@...ux.intel.com>, Linux Kernel <linux-kernel@...r.kernel.org>, Balbir Singh <balbir@...ux.vnet.ibm.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com> Subject: Re: [PATCH] Fix Warnining in arch/x86/kernel/signal.c H. Peter Anvin wrote: > Ingo Molnar wrote: >>>>> >>>>> if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) >>>>> goto badframe; >>>>> - if (__get_user(set.sig[0], &frame->sc.oldmask) || (_NSIG_WORDS > 1 >>>>> - && __copy_from_user(&set.sig[1], &frame->extramask, >>>>> - sizeof(frame->extramask)))) >>>>> + >>>>> + if ( (__copy_from_user(&set.sig[1], &frame->extramask, >>>>> + sizeof(frame->extramask)) && _NSIG_WORDS > 1) || >>>>> + __get_user(set.sig[0], &frame->sc.oldmask)) >>>>> goto badframe; >>>> I'm not sure why this eliminates that warning. >>>> set.sig[0] may not be initialized too, if __copy_from_user() failed. >>> True, but only when either or both of __copy_from_user() and >>> (_NSIG_WORDS > 1) fails. But in all instances set.sig[1] gets >>> initialized. >>> >>>> I don't have enough time to look at this right now, sorry. >>>> >>>> Another question, __copy_from_user() will be called even if >>>> _NSIG_WORDS is less than 2, perhaps it never occurs. >>>> I think, to check _NSIG_WORDS > 1 before calling __copy_from_user() >>>> is better. >>> Fine. Let Ingo/Thomas/Peter decide whether they would like this fix or >>> drop it. >> If you get the Acked-by from Hiroshi-san it looks good to me. He >> modified this code last. >> > > This seriously looks wrong to me. If _NSIG_WORDS == 1, then calling > __copy_from_user here is a serious error. Right. If _NSIG_WORDS is 1, sigset_t set has only sig[0], writing to set.sig[1] means stack corruption. Subrata, could you try like this? if ((_NSIG_WORDS > 1 && __copy_from_user(&set.sig[1], ...) || __get_user(set.sig[0], ...)) I wonder whether gcc really complains about the case of __get_user(set.sig[0], ...) failure. Why, the case which sig[0] initialized and sig[1] uninitialized is NG and the case which sig[0] uninitialized and sig[1] initialized is OK. Thanks, Hiroshi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists