lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100710191026.GA12443@ciphex>
Date:	Sat, 10 Jul 2010 12:10:26 -0700
From:	David Beal <linux-kernel@...idbeal.net>
To:	shenghui <crosslonelyover@...il.com>
Cc:	kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-ext4@...r.kernel.org
Subject: Re: [PATCH] avoid NULL deference in ext2_xattr_get


Hi Sheng-Hui,

There is no NULL dereference in this particular case.  In Linux's printing
routines, printk("%s",(char*)0) is safe, and would result in a "<NULL>" token
being printed.

Indicating that the "name" argument is "<NULL>" in the output of the ea_debug
routine is clearly valuable, as its purpose is to emit debugging messages.

If your patch were applied, then a log message indicating that "name" is
"<NULL>" would not appear.  Adding ternary operator inside printk() argument
body is also not necessary.

Specifically, in lib/vsnprintf.c, which services printk, a check against NULL
is made for the string format specifier, %s:

lib/vsnprintf.c:
...
static char *string(char *buf, char *end, char *s, struct printf_spec spec)
{
        int len, i;

        if ((unsigned long)s < PAGE_SIZE)
                s = "<NULL>";
...

The NULL check inside snprintf is GOOD, as it makes printk safer, and removes
the need for the thousands of conditional branches that would need to be done
OUTSIDE the printk function in order to check whether the argument to %s is
NULL.

Branch prediction has an easier time working with a branch in a function that
is more often in the cache.

Thank you,
David Beal


On Sat, Jul 10, 2010 at 04:07:28PM +0800, shenghui wrote:
> Hi,
> 
>          I walked through ext2 code, and found one potential NULL deference
> in ext2/xattr.c.  The version is 2.6.35-rc4, while earlier versions have the
> same problem.
>          If you configure EXT2_XATTR_DEBUG, you'll get:
> # define ea_idebug(inode, f...) do { \
>                 printk(KERN_DEBUG "inode %s:%ld: ", \
>                         inode->i_sb->s_id, inode->i_ino); \
>                 printk(f); \
>                 printk("\n"); \
>         } while (0)
> 
> In ext2/xttr.c ext2_xattr_get, NULL pointer check is done after
> ea_idebug call, so some may hit NULL deference here.
>  ext2_xattr_get(struct inode *inode, int name_index, const char *name,
>                 void *buffer, size_t buffer_size)
>  {
>          struct buffer_head *bh = NULL;
>          struct ext2_xattr_entry *entry;
>          size_t name_len, size;
>          char *end;
>          int error;
> 
>          ea_idebug(inode, "name=%d.%s, buffer=%p, buffer_size=%ld",
>                    name_index, name, buffer, (long)buffer_size);
> 
>          if (name == NULL)
>                  return -EINVAL;
> 
> 
> Following is my patch. Please check it.
> The patch is against kernel 2.6.35-rc4.
> 
> 
> From adc1fa6535034db3b6d8deebda6ec7eaa8bfd2f8 Mon Sep 17 00:00:00 2001
> From: Wang Sheng-Hui <crosslonelyover@...il.com>
> Date: Sat, 10 Jul 2010 16:05:53 +0800
> Subject: [PATCH] avoid NULL deference in ext2_xattr_get
> 
> 
> Signed-off-by: Wang Sheng-Hui <crosslonelyover@...il.com>
> ---
>  fs/ext2/xattr.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
> index 7c39157..81ec1c6 100644
> --- a/fs/ext2/xattr.c
> +++ b/fs/ext2/xattr.c
> @@ -156,11 +156,12 @@ ext2_xattr_get(struct inode *inode, int
> name_index, const char *name,
>  	char *end;
>  	int error;
> 
> +	if (name == NULL)
> +		return -EINVAL;
> +
>  	ea_idebug(inode, "name=%d.%s, buffer=%p, buffer_size=%ld",
>  		  name_index, name, buffer, (long)buffer_size);
> 
> -	if (name == NULL)
> -		return -EINVAL;
>  	down_read(&EXT2_I(inode)->xattr_sem);
>  	error = -ENODATA;
>  	if (!EXT2_I(inode)->i_file_acl)
> -- 
> 1.6.3.3
> 
> 
> 
> 
> -- 
> 
> 
> Thanks and Best Regards,
> shenghui
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ