lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <511BA5D5.6050902@canonical.com>
Date:	Wed, 13 Feb 2013 07:40:21 -0700
From:	Tim Gardner <tim.gardner@...onical.com>
To:	"J. Bruce Fields" <bfields@...ldses.org>
CC:	linux-kernel@...r.kernel.org,
	Trond Myklebust <Trond.Myklebust@...app.com>,
	linux-nfs@...r.kernel.org
Subject: Re: [PATCH linux-next] lockd: nlmsvc_mark_resources(): avoid stack
 overflow

On 02/12/2013 02:22 PM, J. Bruce Fields wrote:
> On Tue, Feb 12, 2013 at 12:48:58PM -0700, Tim Gardner wrote:
>> Dynamically allocate the NLM host structure in order to avoid stack overflow.
>> nlmsvc_mark_resources() is several call levels deep in a stack
>> that has a number of large variables. 512 bytes seems like a lot
>> on the stack at this point.
>>
>> smatch analysis:
>>
>> fs/lockd/svcsubs.c:366 nlmsvc_mark_resources() warn: 'hint' puts
>>  512 bytes on stack
>>
>> Cc: Trond Myklebust <Trond.Myklebust@...app.com>
>> Cc: "J. Bruce Fields" <bfields@...ldses.org>
>> Cc: linux-nfs@...r.kernel.org
>> Signed-off-by: Tim Gardner <tim.gardner@...onical.com>
>> ---
>>  fs/lockd/svcsubs.c |   12 ++++++++----
>>  1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/lockd/svcsubs.c b/fs/lockd/svcsubs.c
>> index b904f41..f3abb7f 100644
>> --- a/fs/lockd/svcsubs.c
>> +++ b/fs/lockd/svcsubs.c
>> @@ -363,11 +363,15 @@ nlmsvc_is_client(void *data, struct nlm_host *dummy)
>>  void
>>  nlmsvc_mark_resources(struct net *net)
>>  {
>> -	struct nlm_host hint;
>> +	struct nlm_host *hint = kzalloc(sizeof(*hint), GFP_KERNEL);
>>  
>> -	dprintk("lockd: nlmsvc_mark_resources for net %p\n", net);
>> -	hint.net = net;
>> -	nlm_traverse_files(&hint, nlmsvc_mark_host, NULL);
>> +	if (hint) {
>> +		dprintk("lockd: nlmsvc_mark_resources for net %p\n", net);
>> +		hint->net = net;
>> +		nlm_traverse_files(hint, nlmsvc_mark_host, NULL);
>> +	}
> 
> Silently neglecting to do this looks like a bad idea.
> 
> It's strange that we're passing in an nlm_host when all we actually use
> is the struct net*.  Why not just change this to pass in the net
> instead?
> 
> --b.
> 

It won't really be silent. k[zm]alloc() dumps a stack trace on failure
to allocate unless GFP_NOWARN is set in the flags. I think this is a bit
better then possibly corrupting the stack.

Changing the prototype to just pass in 'net' has knock on effects that
make this patch a whole lot bigger. You'd have to change the code within
a bunch of functions which are difficult to verify at compile time
because of the use of 'void *data' as the first parameter. Is there
still a good reason for that parameter to be opaque ?

rtg
-- 
Tim Gardner tim.gardner@...onical.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ