lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LSU.2.21.1901310936510.26726@pobox.suse.cz>
Date:   Thu, 31 Jan 2019 09:40:25 +0100 (CET)
From:   Miroslav Benes <mbenes@...e.cz>
To:     Petr Mladek <pmladek@...e.com>
cc:     Jiri Kosina <jikos@...nel.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Jason Baron <jbaron@...mai.com>,
        Joe Lawrence <joe.lawrence@...hat.com>,
        Evgenii Shatokhin <eshatokhin@...tuozzo.com>,
        live-patching@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/4] livepatch: Handle failing allocation of shadow
 variables in the selftest

On Wed, 30 Jan 2019, Petr Mladek wrote:

> On Mon 2019-01-21 13:14:38, Miroslav Benes wrote:
> > Hi,
> > 
> > On Wed, 16 Jan 2019, Petr Mladek wrote:
> > 
> > > Do not dereference pointers to the shadow variables when either
> > > klp_shadow_alloc() or klp_shadow_get() fail.
> > 
> > I may misunderstand the patch, so bear with me, please. Is this because of 
> > a possible null pointer dereference? If yes, shouldn't this say rather 
> > "when both klp_shadow_alloc() and klp_shadow_get() fail"?
> 
> Well, klp_shadow_get() could fail also from other reasons if there is
> a bug in the implementation.

Yes, but I meant that if only klp_shadow_alloc() or klp_shadow_get() 
failed, it would be caught by ret == sv1 comparison and you would not need 
to add checking of ret at the beginning.
 
> > > There is no need to check the other locations explicitly. The test
> > > would fail if any allocation fails. And the existing messages, printed
> > > during the test, provide enough information to debug eventual problems.
> 
> Heh, this is actually the reason why I did not add the check
> for shadow_alloc(). Any error would be detected later
> with klp_shadow_get() calls that should get tested anyway.
> 
> Hmm, when I think about it. A good practice is to handle
> klp_shadow_allow() or klp_shadow_get() failures immediately.
> After all, it is the sample code that people might follow.

I think so. 

> > > Signed-off-by: Petr Mladek <pmladek@...e.com>
> > > ---
> > >  lib/livepatch/test_klp_shadow_vars.c | 8 ++++----
> > >  1 file changed, 4 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/lib/livepatch/test_klp_shadow_vars.c b/lib/livepatch/test_klp_shadow_vars.c
> > > index 02f892f941dc..55e6820430dc 100644
> > > --- a/lib/livepatch/test_klp_shadow_vars.c
> > > +++ b/lib/livepatch/test_klp_shadow_vars.c
> > > @@ -162,15 +162,15 @@ static int test_klp_shadow_vars_init(void)
> > >  	 * to expected data.
> > >  	 */
> > >  	ret = shadow_get(obj, id);
> > > -	if (ret == sv1 && *sv1 == &var1)
> > > +	if (ret && ret == sv1 && *sv1 == &var1)
> > >  		pr_info("  got expected PTR%d -> PTR%d result\n",
> > >  			ptr_id(sv1), ptr_id(*sv1));
> > >  	ret = shadow_get(obj + 1, id);
> > > -	if (ret == sv2 && *sv2 == &var2)
> > > +	if (ret && ret == sv2 && *sv2 == &var2)
> > >  		pr_info("  got expected PTR%d -> PTR%d result\n",
> > >  			ptr_id(sv2), ptr_id(*sv2));
> > >  	ret = shadow_get(obj, id + 1);
> > > -	if (ret == sv3 && *sv3 == &var3)
> > > +	if (ret && ret == sv3 && *sv3 == &var3)
> > >  		pr_info("  got expected PTR%d -> PTR%d result\n",
> > >  			ptr_id(sv3), ptr_id(*sv3));
> > 
> > There is one more similar site calling shadow_get(obj, id + 1) which is 
> > fixed.
> 
> Heh, I think that I did not add the check there on purpose.
> If we are here, shadow_get(obj, id + 1) must have already succeeded
> above.

Yes, but if it failed, you would not notice. The message would not be 
printed and that's all. So it is possible to run into the same problematic 
error condition here.

> But it is a bad practice. We should always check the output.
> I'll do so in v2.

Agreed.

Miroslav

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ