lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <42513566-6982-c9c4-dbbb-ed98bd332fe9@gmail.com>
Date:   Wed, 22 Aug 2018 11:27:39 -0500
From:   Corey Minyard <tcminyard@...il.com>
To:     Justin Ernst <justin.ernst@....com>,
        Corey Minyard <minyard@....org>
Cc:     Arnd Bergmann <arnd@...db.de>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jeremy Kerr <jk@...abs.org>,
        openipmi-developer@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org, Russ Anderson <russ.anderson@....com>
Subject: Re: [PATCH] Remove redundant cleanup in ipmi_register_smi

On 08/21/2018 10:25 AM, Justin Ernst wrote:
> When ipmi_register_smi fails, it performs a small cleanup routine
> before returning its error value. In try_smi_init, on the condition that
> ipmi_register_smi fails, ipmi_unregister_smi is called. ipmi_unregister_smi
> performs the same cleanup routine as ipmi_register_smi. This results in
> a kernel NULL pointer dereference. Removing the cleanup routine in
> ipmi_register_smi results in proper cleanup of a ipmi_register_smi failure.

This is almost certainly wrong.  If ipmi_register_smi() fails, the 
calling code shouldn't call
ipmi_unregister_smi().

However, I think I know what is going wrong.  ipmi_register_smi() can 
fail after the interface
is initialized, if so the registering code will think it is registered 
and call ipmi_unregister_smi()
on a failure.  I'll send a patch for this.

-corey

>
> Cc: Corey Minyard <minyard@....org>
> Cc: Arnd Bergmann <arnd@...db.de>
> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> Cc: Jeremy Kerr <jk@...abs.org>
> Cc: openipmi-developer@...ts.sourceforge.net
> Cc: linux-kernel@...r.kernel.org
> Cc: Russ Anderson <russ.anderson@....com>
> Acked-by: Andrew Banman <abanman@....com>
> Signed-off-by: Justin Ernst <justin.ernst@....com>
> ---
>   drivers/char/ipmi/ipmi_msghandler.c | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
> index 51832b8a2c62..3b0b50c4f064 100644
> --- a/drivers/char/ipmi/ipmi_msghandler.c
> +++ b/drivers/char/ipmi/ipmi_msghandler.c
> @@ -3395,12 +3395,12 @@ int ipmi_register_smi(const struct ipmi_smi_handlers *handlers,
>   
>    out:
>   	if (rv) {
> -		ipmi_bmc_unregister(intf);
> -		list_del_rcu(&intf->link);
> +		/*
> +		 * ipmi_unregister_smi must be called to clean up after
> +		 * failure. We unlock the mutex to allow ipmi_unregister_smi
> +		 * to lock it and perform cleanup.
> +		 */
>   		mutex_unlock(&ipmi_interfaces_mutex);
> -		synchronize_srcu(&ipmi_interfaces_srcu);
> -		cleanup_srcu_struct(&intf->users_srcu);
> -		kref_put(&intf->refcount, intf_free);
>   	} else {
>   		/*
>   		 * Keep memory order straight for RCU readers.  Make

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ