| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170228045927.GB25371@fergus.ozlabs.ibm.com>
Date: Tue, 28 Feb 2017 15:59:27 +1100
From: Paul Mackerras <paulus@...abs.org>
To: David Gibson <david@...son.dropbear.id.au>
Cc: dan.carpenter@...cle.com, linuxppc-dev@...ts.ozlabs.org,
kvm-ppc@...r.kernel.org, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: Prevent double-free on HPT resize commit path
On Tue, Feb 28, 2017 at 11:56:55AM +1100, David Gibson wrote:
> On Wed, Feb 15, 2017 at 02:40:04PM +1100, David Gibson wrote:
> > resize_hpt_release(), called once the HPT resize of a KVM guest is
> > completed (successfully or unsuccessfully) free()s the state structure for
> > the resize. It is currently not safe to call with a NULL pointer.
> >
> > However, one of the error paths in kvm_vm_ioctl_resize_hpt_commit() can
> > invoke it with a NULL pointer. This will occur if userspace improperly
> > invokes KVM_PPC_RESIZE_HPT_COMMIT without previously calling
> > KVM_PPC_RESIZE_HPT_PREPARE, or if it calls COMMIT twice without an
> > intervening PREPARE.
> >
> > To fix this potential crash bug - and maybe others like it, make it safe
> > (and a no-op) to call resize_hpt_release() with a NULL resize pointer.
> >
> > Found by Dan Carpenter with a static checker.
> >
> > Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
> > Signed-off-by: David Gibson <david@...son.dropbear.id.au>
>
> Ping,
>
> Paul have you taken this one?
Yes, thanks, it's in Linus' tree now.
Paul.
Powered by blists - more mailing lists