lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160217165256.GM17997@ZenIV.linux.org.uk>
Date:	Wed, 17 Feb 2016 16:52:56 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Joe Korty <joe.korty@...r.com>
Cc:	"David S. Miller" <davem@...emloft.net>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Fix kfree bug in sendmsg and recvmsg

On Wed, Feb 17, 2016 at 04:44:07PM +0000, Al Viro wrote:
> On Wed, Feb 17, 2016 at 11:38:05AM -0500, Joe Korty wrote:
> > Fix kfree bug in recvmsg and sendmsg.
> > 
> > We cannot kfree(iov) when iov points to an array on the
> > stack, as that has the potential of corrupting memory.
> > 
> > So re-introduce the if-stmt that used to protect kfree
> > from this condition, code that was removed as part of
> > a larger set of changes made by git commit da184284.
> 
> NAK.  You are misreading import_iovec():
>         *iov = p == *iov ? NULL : p;
> in the end will have iov replaced with NULL if we ended up using what
> it originally pointed to.

PS: that's absolutely deliberate - cleanup after import_iovec() (and its
wrappers) is *always* of the same sort; that way we avoid the checks
completely.  The rules are much simpler that way: after the call of
import_iovec() cleanup is always kfree(iov), no matter what and that's
the only thing iov should be used after that call.

Your "restored" check won't harm anything, precisely because it'll never
be satisfied.  Note that this is the normal codepath - we go through
out_freeiov on success as well.  If iov remained pointing to on-stack
array in case of short vector, we would've been ears-deep in oopsen.
The reason why we are not is that in this case iov ends up being NULL.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ