| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7782.1488471227@warthog.procyon.org.uk>
Date: Thu, 02 Mar 2017 16:13:47 +0000
From: David Howells <dhowells@...hat.com>
To: Colin Ian King <colin.king@...onical.com>
Cc: dhowells@...hat.com, "David S. Miller" <davem@...emloft.net>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: rxrpc: Fix deadlock between call creation and sendmsg/recvmsg
Colin Ian King <colin.king@...onical.com> wrote:
> I think the following part of the patch is problematic:
>
> call = rxrpc_find_call_by_user_ID(rx, user_call_ID);
> if (!call) {
> + ret = -EBADSLT;
> if (cmd != RXRPC_CMD_SEND_DATA)
> - return -EBADSLT;
> + goto error_release_sock;
> + ret = -EBUSY;
>
> At this point call is null, so the following code is performing a null
> pointer dereference on call when accessing call->state.
>
> Detected by CoverityScan CID#1414316 ("Dereference after null check")
>
> + if (call->state == RXRPC_CALL_UNINITIALISED ||
> + call->state == RXRPC_CALL_CLIENT_AWAIT_CONN ||
> + call->state == RXRPC_CALL_SERVER_PREALLOC ||
> + call->state == RXRPC_CALL_SERVER_SECURING ||
> + call->state == RXRPC_CALL_SERVER_ACCEPTING)
> + goto error_release_sock;
> call = rxrpc_new_client_call_for_sendmsg(rx, msg,
> user_call_ID,
Good catch, thanks, I put the state check in the wrong half of the
if-statement.
David
Powered by blists - more mailing lists