| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Feb 2016 16:52:56 +0000 From: Al Viro <viro@...IV.linux.org.uk> To: Joe Korty <joe.korty@...r.com> Cc: "David S. Miller" <davem@...emloft.net>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] Fix kfree bug in sendmsg and recvmsg On Wed, Feb 17, 2016 at 04:44:07PM +0000, Al Viro wrote: > On Wed, Feb 17, 2016 at 11:38:05AM -0500, Joe Korty wrote: > > Fix kfree bug in recvmsg and sendmsg. > > > > We cannot kfree(iov) when iov points to an array on the > > stack, as that has the potential of corrupting memory. > > > > So re-introduce the if-stmt that used to protect kfree > > from this condition, code that was removed as part of > > a larger set of changes made by git commit da184284. > > NAK. You are misreading import_iovec(): > *iov = p == *iov ? NULL : p; > in the end will have iov replaced with NULL if we ended up using what > it originally pointed to. PS: that's absolutely deliberate - cleanup after import_iovec() (and its wrappers) is *always* of the same sort; that way we avoid the checks completely. The rules are much simpler that way: after the call of import_iovec() cleanup is always kfree(iov), no matter what and that's the only thing iov should be used after that call. Your "restored" check won't harm anything, precisely because it'll never be satisfied. Note that this is the normal codepath - we go through out_freeiov on success as well. If iov remained pointing to on-stack array in case of short vector, we would've been ears-deep in oopsen. The reason why we are not is that in this case iov ends up being NULL.
Powered by blists - more mailing lists