lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 4 Aug 2016 14:57:12 +0100
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:	Nicholas Krause <xerofoify@...il.com>, akpm@...ux-foundation.org,
	msalter@...hat.com, kuleshovmail@...il.com,
	david.vrabel@...rix.com, vbabka@...e.cz, ard.biesheuvel@...aro.org,
	jgross@...e.com, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH] fs:Fix kmemleak leak warning in getname_flags about
 working on unitialized memory

On Thu, Aug 04, 2016 at 09:18:19PM +0900, Tetsuo Handa wrote:
> On 2016/08/04 6:48, Nicholas Krause wrote:
> > This fixes a kmemleak leak warning complaining about working on
> > unitializied memory as found in the function, getname_flages. Seems
> > that we are indeed working on unitialized memory, as the filename
> > char pointer is never made to point to the filname structure's result
> > member for holding it's name, fix this by using memcpy to copy the
> > filname structure pointer's, name to the char pointer passed to this
> > function.
> > 
> > Signed-off-by: Nicholas Krause <xerofoify@...il.com>
> > ---
> >  fs/namei.c         | 1 +
> >  mm/early_ioremap.c | 1 +
> >  2 files changed, 2 insertions(+)
> > 
> > diff --git a/fs/namei.c b/fs/namei.c
> > index c386a32..6b18d57 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -196,6 +196,7 @@ getname_flags(const char __user *filename, int flags, int *empty)
> >  		}
> >  	}
> >  
> > +	memcpy((char *)result->name, filename, len);
> 
> This filename is a __user pointer. Reading with memcpy() is not safe.

Don't feed the troll.  On all paths leading to that place we have
        result->name = kname;
        len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
or
                result->name = kname;
                len = strncpy_from_user(kname, filename, PATH_MAX);
with failure exits taken if strncpy_from_user() returns an error, which means
that the damn thing has already been copied into.

FWIW, it looks a lot like buggered kmemcheck; as usual, he can't be bothered
to mention which kernel version would it be (let alone how to reproduce it
on the kernel in question), but IIRC davej had run into some instrumentation
breakage lately.

Again, don't feed the troll - you are only inviting an "improved" version
of that garbage, just as pointless.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ