| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a75e8a5d-25d0-83b8-6f7c-b80e69985b60@suse.cz>
Date: Tue, 18 Sep 2018 08:11:33 +0200
From: Jiri Slaby <jslaby@...e.cz>
To: Matthias Kaehlcke <mka@...omium.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Douglas Anderson <dianders@...omium.org>,
Evan Green <evgreen@...omium.org>,
Manoj Gupta <manojgupta@...omium.org>,
Stephen Boyd <swboyd@...omium.org>,
Sai Prakash Ranjan <saiprakash.ranjan@...eaurora.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tty/sysrq: Make local variable 'killer' in
sysrq_handle_crash() global
On 09/17/2018, 11:33 PM, Matthias Kaehlcke wrote:
> sysrq_handle_crash() dereferences a NULL pointer on purpose to force
> an exception, the local variable 'killer' is assigned to NULL and
> dereferenced later. Clang detects the NULL pointer dereference at compile
> time and emits a BRK instruction (on arm64) instead of the expected NULL
> pointer exception. Change 'killer' to a global variable (and rename it
> to 'sysrq_killer' to avoid possible clashes) to prevent Clang from
> detecting the condition. By default global variables are initialized
> with zero/NULL in C, therefore an explicit initialization is not needed.
>
> Reported-by: Sai Prakash Ranjan <saiprakash.ranjan@...eaurora.org>
> Suggested-by: Evan Green <evgreen@...omium.org>
> Signed-off-by: Matthias Kaehlcke <mka@...omium.org>
> ---
> drivers/tty/sysrq.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
> index 06ed20dd01ba..49fa8e758690 100644
> --- a/drivers/tty/sysrq.c
> +++ b/drivers/tty/sysrq.c
> @@ -132,10 +132,10 @@ static struct sysrq_key_op sysrq_unraw_op = {
> #define sysrq_unraw_op (*(struct sysrq_key_op *)NULL)
> #endif /* CONFIG_VT */
>
> +char *sysrq_killer;
> +
> static void sysrq_handle_crash(int key)
> {
> - char *killer = NULL;
> -
> /* we need to release the RCU read lock here,
> * otherwise we get an annoying
> * 'BUG: sleeping function called from invalid context'
> @@ -144,7 +144,7 @@ static void sysrq_handle_crash(int key)
> rcu_read_unlock();
> panic_on_oops = 1; /* force panic */
> wmb();
> - *killer = 1;
> + *sysrq_killer = 1;
Just because a static analyzer is wrong? Oh wait, even compiler is
wrong. At least make it a static global. Or what about OPTIMIZER_HIDE_VAR?
thanks,
--
js
suse labs
Powered by blists - more mailing lists