lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55B1A23A.5060303@plumgrid.com>
Date:	Thu, 23 Jul 2015 19:26:02 -0700
From:	Alexei Starovoitov <ast@...mgrid.com>
To:	xiakaixu <xiakaixu@...wei.com>
Cc:	davem@...emloft.net, acme@...nel.org, mingo@...hat.com,
	a.p.zijlstra@...llo.nl, masami.hiramatsu.pt@...achi.com,
	jolsa@...nel.org, wangnan0@...wei.com,
	linux-kernel@...r.kernel.org, pi3orama@....com, hekuang@...wei.com
Subject: Re: [PATCH v3 1/3] bpf: Add new bpf map type to store the pointer to
 struct perf_event

On 7/23/15 7:22 PM, xiakaixu wrote:
>>> +    /* check if the value is already stored */
>>> >>+    if (array->events[index])
>>> >>+        return -EINVAL;
>>> >>+
>>> >>+    /* convert the fd to the pointer to struct perf_event */
>>> >>+    event = convert_map_with_perf_event(value);
>> >
>> >imo helper name is misleading and it's too short to be separate
>> >function. Just inline it and you can reuse 'index' variable.
>> >
>>> >>+    if (!event)
>>> >>+        return -EBADF;
>>> >>+
>>> >>+    xchg(array->events + index, event);
>> >
>> >refcnt leak of old event! Please think it through.
>> >This type of bugs I shouldn't be finding.
> Maybe the commit message is not elaborate. Here I prevent
> user space from updating the existed event, so the return
> value of xchg() is NULL and no refcnt leak of old event.
> I will do the same as prog_array in next version.

I see then it's even worse.
You think that above check:
+    if (array->events[index])
+        return -EINVAL;
will protect the double insert?
It won't, since there are no locks here.
You can have two processes both seeing empty slot and
racing to do xchg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ