lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 30 Jun 2011 07:42:42 -0400
From:	Christoph Hellwig <hch@...radead.org>
To:	Alexey Khoroshilov <khoroshilov@...ras.ru>
Cc:	Christoph Hellwig <hch@...era.com>,
	Anton Salikhmetov <alexo@...era.com>,
	Al Viro <viro@...iv.linux.org.uk>, roman@...istech.com,
	linux-kernel@...r.kernel.org, ldv-project@...ras.ru
Subject: Re: [PATCH 1/2] hfsplus: add error checking for hfs_find_init()

On Fri, Jun 24, 2011 at 01:15:01AM +0400, Alexey Khoroshilov wrote:
> hfs_find_init() may fail with ENOMEM, but there are places, where
> the returned value is not checked. The consequences can be very
> unpleasant, e.g. kfree uninitialized pointer and
> inappropriate mutex unlocking.
> 
> The patch adds checks for errors in hfs_find_init().
> 
> Found by Linux Driver Verification project (linuxtesting.org).

What kind of testing did you do in detail?

> -	hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
> +	err = hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
> +	if (err)
> +		goto err_init;
>  
>  	hfsplus_cat_build_key(sb, fd.search_key, cnid, NULL);
>  	entry_size = hfsplus_fill_cat_thread(sb, &entry,
> @@ -255,6 +257,7 @@ err1:
>  		hfs_brec_remove(&fd);
>  err2:
>  	hfs_find_exit(&fd);
> +err_init:

Please just return the error directly unless there's something to
unwind, both here and in other places.

> @@ -124,9 +124,10 @@ static void hfsplus_ext_write_extent_locked(struct inode *inode)
>  	if (HFSPLUS_I(inode)->extent_state & HFSPLUS_EXT_DIRTY) {
>  		struct hfs_find_data fd;
>  
> -		hfs_find_init(HFSPLUS_SB(inode->i_sb)->ext_tree, &fd);
> -		__hfsplus_ext_write_extent(inode, &fd);
> -		hfs_find_exit(&fd);
> +		if (!hfs_find_init(HFSPLUS_SB(inode->i_sb)->ext_tree, &fd)) {
> +			__hfsplus_ext_write_extent(inode, &fd);
> +			hfs_find_exit(&fd);
> +		}
>  	}
>  }

This one need to be propagated back through the callers.

> @@ -523,7 +528,11 @@ void hfsplus_file_truncate(struct inode *inode)
>  		goto out;
>  
>  	mutex_lock(&hip->extents_lock);
> -	hfs_find_init(HFSPLUS_SB(sb)->ext_tree, &fd);
> +	res = hfs_find_init(HFSPLUS_SB(sb)->ext_tree, &fd);
> +	if (res) {
> +		mutex_unlock(&hip->extents_lock);
> +		return;
> +	}

At least add an XXX comment about the lack of error handling here.
Once hfsplus gets converted to the new truncate sequence we'll be
able to handle to return it.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ