| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200414170827.d32fc1fc12a33b140b740b94@linux-foundation.org>
Date: Tue, 14 Apr 2020 17:08:27 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: Miles Chen <miles.chen@...iatek.com>
Cc: <linux-mm@...ck.org>, <linux-kernel@...r.kernel.org>,
<linux-mediatek@...ts.infradead.org>, <wsd_upstream@...iatek.com>,
Peter Xu <peterx@...hat.com>
Subject: Re: [PATCH] mm/gup: fix null pointer dereference detected by
coverity
On Tue, 7 Apr 2020 17:51:07 +0800 Miles Chen <miles.chen@...iatek.com> wrote:
> In fixup_user_fault(), it is possible that unlocked is NULL,
> so we should test unlocked before using it.
>
> For example, in arch/arc/kernel/process.c, NULL is passed
> to fixup_user_fault().
>
> SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
> {
> ...
> ret = fixup_user_fault(current, current->mm, (unsigned long) uaddr,
> FAULT_FLAG_WRITE, NULL);
> ...
> }
(cc Peter)
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -1230,7 +1230,8 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
> if (ret & VM_FAULT_RETRY) {
> down_read(&mm->mmap_sem);
> if (!(fault_flags & FAULT_FLAG_TRIED)) {
> - *unlocked = true;
> + if (unlocked)
> + *unlocked = true;
> fault_flags |= FAULT_FLAG_TRIED;
> goto retry;
> }
Not sure. If the caller passes FAULT_FLAG_ALLOW_RETRY then they must
also pass in a valid non-NULL `unlocked'. If the caller passed
FAULT_FLAG_ALLOW_RETRY and unlocked==NULL then the resulting oops is an
appropriate way of reporting this mistake. I think?
Powered by blists - more mailing lists