| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jun 2019 16:22:19 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Arnd Bergmann <arnd@...db.de>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>,
Christoph Lameter <cl@...ux.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Sandeep Patil <sspatil@...roid.com>,
Laura Abbott <labbott@...hat.com>,
Jann Horn <jannh@...gle.com>, Marco Elver <elver@...gle.com>,
Stephen Rothwell <sfr@...b.auug.org.au>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] lib: test_meminit: fix -Wmaybe-uninitialized false positive
On Mon, Jun 17, 2019 at 3:12 PM Arnd Bergmann <arnd@...db.de> wrote:
>
> The conditional logic is too complicated for the compiler to
> fully comprehend:
>
> lib/test_meminit.c: In function 'test_meminit_init':
> lib/test_meminit.c:236:5: error: 'buf_copy' may be used uninitialized in this function [-Werror=maybe-uninitialized]
> kfree(buf_copy);
> ^~~~~~~~~~~~~~~
> lib/test_meminit.c:201:14: note: 'buf_copy' was declared here
>
> Simplify it by splitting out the non-rcu section.
>
> Fixes: af734ee6ec85 ("lib: introduce test_meminit module")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
Acked-by: Alexander Potapenko <glider@...gle.com>
> ---
> lib/test_meminit.c | 50 ++++++++++++++++++++++++----------------------
> 1 file changed, 26 insertions(+), 24 deletions(-)
>
> diff --git a/lib/test_meminit.c b/lib/test_meminit.c
> index ed7efec1387b..7ae2183ff1f4 100644
> --- a/lib/test_meminit.c
> +++ b/lib/test_meminit.c
> @@ -208,35 +208,37 @@ static int __init do_kmem_cache_size(size_t size, bool want_ctor,
> /* Check that buf is zeroed, if it must be. */
> fail = check_buf(buf, size, want_ctor, want_rcu, want_zero);
> fill_with_garbage_skip(buf, size, want_ctor ? CTOR_BYTES : 0);
> +
> + if (!want_rcu) {
> + kmem_cache_free(c, buf);
> + continue;
> + }
> +
> /*
> * If this is an RCU cache, use a critical section to ensure we
> * can touch objects after they're freed.
> */
> - if (want_rcu) {
> - rcu_read_lock();
> - /*
> - * Copy the buffer to check that it's not wiped on
> - * free().
> - */
> - buf_copy = kmalloc(size, GFP_KERNEL);
> - if (buf_copy)
> - memcpy(buf_copy, buf, size);
> - }
> - kmem_cache_free(c, buf);
> - if (want_rcu) {
> - /*
> - * Check that |buf| is intact after kmem_cache_free().
> - * |want_zero| is false, because we wrote garbage to
> - * the buffer already.
> - */
> - fail |= check_buf(buf, size, want_ctor, want_rcu,
> - false);
> - if (buf_copy) {
> - fail |= (bool)memcmp(buf, buf_copy, size);
> - kfree(buf_copy);
> - }
> - rcu_read_unlock();
> + rcu_read_lock();
> + /*
> + * Copy the buffer to check that it's not wiped on
> + * free().
> + */
> + buf_copy = kmalloc(size, GFP_KERNEL);
> + if (buf_copy)
> + memcpy(buf_copy, buf, size);
> +
> + /*
> + * Check that |buf| is intact after kmem_cache_free().
> + * |want_zero| is false, because we wrote garbage to
> + * the buffer already.
> + */
> + fail |= check_buf(buf, size, want_ctor, want_rcu,
> + false);
> + if (buf_copy) {
> + fail |= (bool)memcmp(buf, buf_copy, size);
> + kfree(buf_copy);
> }
> + rcu_read_unlock();
> }
> kmem_cache_destroy(c);
>
> --
> 2.20.0
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Powered by blists - more mailing lists