| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Jan 2019 09:40:25 +0100 (CET)
From: Miroslav Benes <mbenes@...e.cz>
To: Petr Mladek <pmladek@...e.com>
cc: Jiri Kosina <jikos@...nel.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Jason Baron <jbaron@...mai.com>,
Joe Lawrence <joe.lawrence@...hat.com>,
Evgenii Shatokhin <eshatokhin@...tuozzo.com>,
live-patching@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/4] livepatch: Handle failing allocation of shadow
variables in the selftest
On Wed, 30 Jan 2019, Petr Mladek wrote:
> On Mon 2019-01-21 13:14:38, Miroslav Benes wrote:
> > Hi,
> >
> > On Wed, 16 Jan 2019, Petr Mladek wrote:
> >
> > > Do not dereference pointers to the shadow variables when either
> > > klp_shadow_alloc() or klp_shadow_get() fail.
> >
> > I may misunderstand the patch, so bear with me, please. Is this because of
> > a possible null pointer dereference? If yes, shouldn't this say rather
> > "when both klp_shadow_alloc() and klp_shadow_get() fail"?
>
> Well, klp_shadow_get() could fail also from other reasons if there is
> a bug in the implementation.
Yes, but I meant that if only klp_shadow_alloc() or klp_shadow_get()
failed, it would be caught by ret == sv1 comparison and you would not need
to add checking of ret at the beginning.
> > > There is no need to check the other locations explicitly. The test
> > > would fail if any allocation fails. And the existing messages, printed
> > > during the test, provide enough information to debug eventual problems.
>
> Heh, this is actually the reason why I did not add the check
> for shadow_alloc(). Any error would be detected later
> with klp_shadow_get() calls that should get tested anyway.
>
> Hmm, when I think about it. A good practice is to handle
> klp_shadow_allow() or klp_shadow_get() failures immediately.
> After all, it is the sample code that people might follow.
I think so.
> > > Signed-off-by: Petr Mladek <pmladek@...e.com>
> > > ---
> > > lib/livepatch/test_klp_shadow_vars.c | 8 ++++----
> > > 1 file changed, 4 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/lib/livepatch/test_klp_shadow_vars.c b/lib/livepatch/test_klp_shadow_vars.c
> > > index 02f892f941dc..55e6820430dc 100644
> > > --- a/lib/livepatch/test_klp_shadow_vars.c
> > > +++ b/lib/livepatch/test_klp_shadow_vars.c
> > > @@ -162,15 +162,15 @@ static int test_klp_shadow_vars_init(void)
> > > * to expected data.
> > > */
> > > ret = shadow_get(obj, id);
> > > - if (ret == sv1 && *sv1 == &var1)
> > > + if (ret && ret == sv1 && *sv1 == &var1)
> > > pr_info(" got expected PTR%d -> PTR%d result\n",
> > > ptr_id(sv1), ptr_id(*sv1));
> > > ret = shadow_get(obj + 1, id);
> > > - if (ret == sv2 && *sv2 == &var2)
> > > + if (ret && ret == sv2 && *sv2 == &var2)
> > > pr_info(" got expected PTR%d -> PTR%d result\n",
> > > ptr_id(sv2), ptr_id(*sv2));
> > > ret = shadow_get(obj, id + 1);
> > > - if (ret == sv3 && *sv3 == &var3)
> > > + if (ret && ret == sv3 && *sv3 == &var3)
> > > pr_info(" got expected PTR%d -> PTR%d result\n",
> > > ptr_id(sv3), ptr_id(*sv3));
> >
> > There is one more similar site calling shadow_get(obj, id + 1) which is
> > fixed.
>
> Heh, I think that I did not add the check there on purpose.
> If we are here, shadow_get(obj, id + 1) must have already succeeded
> above.
Yes, but if it failed, you would not notice. The message would not be
printed and that's all. So it is possible to run into the same problematic
error condition here.
> But it is a bad practice. We should always check the output.
> I'll do so in v2.
Agreed.
Miroslav
Powered by blists - more mailing lists