| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <98e5a46b-d7db-14c2-320e-f8f6c3c063bf@codeaurora.org>
Date: Tue, 18 Sep 2018 11:39:20 +0530
From: Sai Prakash Ranjan <saiprakash.ranjan@...eaurora.org>
To: Matthias Kaehlcke <mka@...omium.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>
Cc: linux-kernel@...r.kernel.org, Evan Green <evgreen@...omium.org>,
Douglas Anderson <dianders@...omium.org>,
Stephen Boyd <swboyd@...omium.org>,
Manoj Gupta <manojgupta@...omium.org>,
Nick Desaulniers <ndesaulniers@...gle.com>
Subject: Re: [PATCH] tty/sysrq: Make local variable 'killer' in
sysrq_handle_crash() global
On 9/18/2018 3:03 AM, Matthias Kaehlcke wrote:
> sysrq_handle_crash() dereferences a NULL pointer on purpose to force
> an exception, the local variable 'killer' is assigned to NULL and
> dereferenced later. Clang detects the NULL pointer dereference at compile
> time and emits a BRK instruction (on arm64) instead of the expected NULL
> pointer exception. Change 'killer' to a global variable (and rename it
> to 'sysrq_killer' to avoid possible clashes) to prevent Clang from
> detecting the condition. By default global variables are initialized
> with zero/NULL in C, therefore an explicit initialization is not needed.
>
> Reported-by: Sai Prakash Ranjan <saiprakash.ranjan@...eaurora.org>
> Suggested-by: Evan Green <evgreen@...omium.org>
> Signed-off-by: Matthias Kaehlcke <mka@...omium.org>
> ---
> drivers/tty/sysrq.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
> index 06ed20dd01ba..49fa8e758690 100644
> --- a/drivers/tty/sysrq.c
> +++ b/drivers/tty/sysrq.c
> @@ -132,10 +132,10 @@ static struct sysrq_key_op sysrq_unraw_op = {
> #define sysrq_unraw_op (*(struct sysrq_key_op *)NULL)
> #endif /* CONFIG_VT */
>
> +char *sysrq_killer;
> +
> static void sysrq_handle_crash(int key)
> {
> - char *killer = NULL;
> -
> /* we need to release the RCU read lock here,
> * otherwise we get an annoying
> * 'BUG: sleeping function called from invalid context'
> @@ -144,7 +144,7 @@ static void sysrq_handle_crash(int key)
> rcu_read_unlock();
> panic_on_oops = 1; /* force panic */
> wmb();
> - *killer = 1;
> + *sysrq_killer = 1;
> }
> static struct sysrq_key_op sysrq_crash_op = {
> .handler = sysrq_handle_crash,
>
Tested-by: Sai Prakash Ranjan <saiprakash.ranjan@...eaurora.org>
--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member
of Code Aurora Forum, hosted by The Linux Foundation
Powered by blists - more mailing lists