| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 01 Mar 2019 09:26:59 -0500
From: Doug Ledford <dledford@...hat.com>
To: Shaobo He <shaobo@...utah.edu>,
Bart Van Assche <bvanassche@....org>,
linux-rdma@...r.kernel.org
Cc: Steve Wise <swise@...lsio.com>, Jason Gunthorpe <jgg@...pe.ca>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] cxgb4: fix undefined behavior in mem.c
On Thu, 2019-02-28 at 16:57 -0700, Shaobo He wrote:
> Good catch. But if we agree on that memory management functions are those
> specified by the C standard, would it be OK to ignore so-called use after free
> or double free bugs for the kernel as C standard does not apply to kfree?
No, most kernel use-after-free bugs are real bugs. This one might be
technically a bug by certain readings of the standard, but it's a non-
issue. Real use-after-free bugs don't just look at the value of a local
stack variable to get the memory's old address (which is what this does,
and the same could be achieved and be totally in spec by doing this:
old_ptr = mhp;
kfree(mhp);
pr_debug("%p\n", old_ptr);)
Real use after free things would actually dereference the pointer to
either read or write from the old memory region. That leads to data
corruption or kernel data leaks. Plus, in this case, the purpose of
printing the literal value of mhp is simply to provide a unique name for
tracing purposes. Since kfree() doesn't alter the local stack variable,
the name is still present in the local stack variable at the point you
call pr_debug().
It could be fixed. It's not like this patch is wrong. But I wouldn't
submit it this late in the -rc cycle, I'd just take it for next.
> On 2/28/19 4:33 PM, Bart Van Assche wrote:
> > On Thu, 2019-02-28 at 16:18 -0700, Shaobo He wrote:
> > > I can't afford a pdf version of the C standard. So I looked at the draft version
> > > used in the link I put in the commit message. It says (in 6.2.4:2),
> > >
> > > ```
> > > The lifetime of an object is the portion of program execution during which
> > > storage is guaranteed to be reserved for it. An object exists, has a constant
> > > address, and retains its last-stored value throughout its lifetime. If an object
> > > is referred to outside of its lifetime, the behavior is undefined. The value of
> > > a pointer becomes indeterminate when the object it points to (or just past)
> > > reaches the end of its lifetime.
> > > ```
> > > I couldn't find the definition of lifetime over a dynamically allocated object
> > > in the draft of C standard. I refer to this link
> > > (https://en.cppreference.com/w/c/language/lifetime) which suggests that the
> > > lifetime of an allocated object ends after the deallocation function is called
> > > upon it.
> > >
> > > I think maybe the more problematic issue is that the value of a freed pointer is
> > > intermediate.
> >
> > In another section of the same draft I found the following:
> >
> > J.2 Undefined behavior [ ... ] The value of a pointer that refers to space
> > deallocated by a call to the free or realloc function is used (7.22.3).
> >
> > Since the C standard explicitly refers to free() and realloc(), does that
> > mean that that statement about undefined behavior does not apply to munmap()
> > (for user space code) nor to kfree() (for kernel code)?
> >
> > Bart.
> >
--
Doug Ledford <dledford@...hat.com>
GPG KeyID: B826A3330E572FDD
Key fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists