| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Jul 2018 07:25:40 -0700
From: Matthew Wilcox <willy@...radead.org>
To: Mark Rutland <mark.rutland@....com>
Cc: linux-kernel@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>,
Matthew Wilcox <mawilcox@...rosoft.com>,
valdis.kletnieks@...edu
Subject: Re: [PATCH] radix-tree: avoid NULL dereference
On Fri, Jul 06, 2018 at 02:41:44PM +0100, Mark Rutland wrote:
> When idr_alloc() is called for the first time on an IDR (which has no
> nodes in its radix tree), we end up with calculate_count() calling
> get_slot_offset() with a NULL node, leading to a NULL pointer
> dereference caught by UBSAN:
Thanks!
> The result of the load is passed into node_tag_get(), which ignores the
> value when node is NULL. Typically, the compiler inlines both
> get_slot_offset() and node_tag_get() into calculate_count(), optimizing
> away the NULL-pointer dereference, and hence this doesn't typically
> result in a boot failure.
>
> We can't rely on the compiler always doing this, and must avoid
> dereferencing fields from node when it is potentially NULL.
>
> To do so, this patch folds the generation of offset into tag_get(), such
> that this only happens when node is not NULL. Callers are updated to
> pass the relevant slot, rather than the offset derived from it.
I did think about this ... honest! My reasoning clearly glitched at some
point. I think this is the right way to fix the problem.
Acked-by: Matthew Wilcox <willy@...radead.org>
Powered by blists - more mailing lists