lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 Mar 2019 16:49:14 +0000
From:   Stefan Hajnoczi <stefanha@...hat.com>
To:     Vitaly Mayatskikh <v.mayatskih@...il.com>
Cc:     Michal Hocko <mhocko@...e.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vhost: zero vhost_vsock memory on allocation

On Tue, Mar 26, 2019 at 08:56:14PM -0400, Vitaly Mayatskikh wrote:
> This fixes OOPS when using under-initialized vhost_vsock object.
> 
> The code had a combo of kzalloc plus vmalloc as a fallback
> initially, but it has been replaced by plain kvmalloc in
> commit 6c5ab6511f71 ("mm: support __GFP_REPEAT in kvmalloc_node for >32kB")
> 
> OOPS is easy to reproduce with open/ioctl after trashing the RAM.

Which field was accessed before initialization?

I ask because the situation is now unclear since code remains that
assumes vsock is *not* zero-initialized:

  vsock->guest_cid = 0; /* no CID assigned yet */

  atomic_set(&vsock->queued_replies, 0);

If we're going to zalloc, let's get rid of explicit zero
initializations.  Or let's use kvmalloc() and fix the uninitialized
access.  Mixing both is confusing.

> Signed-off-by: Vitaly Mayatskikh <v.mayatskih@...il.com>
> ---
>  drivers/vhost/vsock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
> index bb5fc0e..9e7cb13 100644
> --- a/drivers/vhost/vsock.c
> +++ b/drivers/vhost/vsock.c
> @@ -512,7 +512,7 @@ static int vhost_vsock_dev_open(struct inode *inode, struct file *file)
>  	/* This struct is large and allocation could fail, fall back to vmalloc
>  	 * if there is no other way.
>  	 */
> -	vsock = kvmalloc(sizeof(*vsock), GFP_KERNEL | __GFP_RETRY_MAYFAIL);
> +	vsock = kvzalloc(sizeof(*vsock), GFP_KERNEL | __GFP_RETRY_MAYFAIL);
>  	if (!vsock)
>  		return -ENOMEM;
>  
> -- 
> 1.8.3.1
> 

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ