lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LFD.2.00.1006041452130.8175@i5.linux-foundation.org>
Date:	Fri, 4 Jun 2010 15:05:01 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	"Luck, Tony" <tony.luck@...el.com>
cc:	Rusty Russell <rusty@...tcorp.com.au>,
	Dave Young <hidave.darkstar@...il.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	"linux-next@...r.kernel.org" <linux-next@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: RE: linux-next: Tree for June 3



On Fri, 4 Jun 2010, Luck, Tony wrote:
> 
> This almost always means that we dereferenced a NULL pointer ... though
> any access into the bottom PAGE_SIZE of kernel virtual address space
> will result in this trap.  This happens on ia64 because we have a "NaT"
> page mapped at 0x0 so that speculative loads that chase NULL pointers
> at the end of lists behave more rationally.
> 
> Sadly I don't have the actual address. The register that was used
> for the dereference isn't included in the OOPS output.

Ok, so it confirms just that load_module() has returned a pointer that is 
either NULL or at least within PAGE_SIZE-552.

It could be a negative error pointer (and the offset of 552 turns it into 
the NULL page), but that's what the whole IS_ERR() thing checks for, so 
that's not the case.

So the

	if (err)
		return ERR_PTR(err);

case does seem pretty likely (most of them with a "goto <error-case>", but 
some directly. Many of them have the stricter form of "if (err < 0)", but 
there's a number that do not.

And in fact, I think I see the bad one:

        /* Figure out module layout, and allocate all the memory. */
        mod = layout_and_allocate(&info);
        if (IS_ERR(mod))
                goto free_copy;

which looks fine, but "free_copy:" expects the error number in "err", 
which is what the other error cases do.

I think this was introduced by Rusty's commit 5d3f5be82944 ("module: 
layout_and_allocate"), and here's a suggested fix.. The easiest fix is to 
actually change the "free_copy" target to return "mod" as the above goto 
expects, and then just do a conversion before the fall-through from the 
other error cases (that have it in 'err').

Does this fix it? I stopped looking for other possible causes when I found 
this one.

		Linus

---
 kernel/module.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index 69a3f12..9a0b275 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2653,9 +2653,10 @@ static struct module *load_module(void __user *umod,
 	module_unload_free(mod);
  free_module:
 	module_deallocate(mod, &info);
+	mod = ERR_PTR(err);
  free_copy:
 	free_copy(&info);
-	return ERR_PTR(err);
+	return mod;
 }
 
 /* Call module constructors. */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ