lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 11 Aug 2020 11:00:20 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Marion & Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc:     alexander.deucher@....com, christian.koenig@....com,
        airlied@...ux.ie, daniel@...ll.ch, sumit.semwal@...aro.org,
        colton.w.lewis@...tonmail.com, Ori.Messinger@....com,
        m.szyprowski@...sung.com, bernard@...o.com,
        dri-devel@...ts.freedesktop.org, amd-gfx@...ts.freedesktop.org,
        linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] drm: amdgpu: Use the correct size when allocating memory

On Tue, Aug 11, 2020 at 10:57:02AM +0300, Dan Carpenter wrote:
> On Mon, Aug 10, 2020 at 08:41:14PM +0200, Marion & Christophe JAILLET wrote:
> > 
> > Le 10/08/2020 à 17:42, Dan Carpenter a écrit :
> > > On Sun, Aug 09, 2020 at 10:34:06PM +0200, Christophe JAILLET wrote:
> > > > When '*sgt' is allocated, we must allocated 'sizeof(**sgt)' bytes instead
> > > > of 'sizeof(*sg)'. 'sg' (i.e. struct scatterlist) is smaller than
> > > > 'sgt' (i.e struct sg_table), so this could lead to memory corruption.
> > > The sizeof(*sg) is bigger than sizeof(**sgt) so this wastes memory but
> > > it won't lead to corruption.
> > > 
> > >      11  struct scatterlist {
> > >      12          unsigned long   page_link;
> > >      13          unsigned int    offset;
> > >      14          unsigned int    length;
> > >      15          dma_addr_t      dma_address;
> > >      16  #ifdef CONFIG_NEED_SG_DMA_LENGTH
> > >      17          unsigned int    dma_length;
> > >      18  #endif
> > >      19  };
> > > 
> > >      42  struct sg_table {
> > >      43          struct scatterlist *sgl;        /* the list */
> > >      44          unsigned int nents;             /* number of mapped entries */
> > >      45          unsigned int orig_nents;        /* original size of list */
> > >      46  };
> > > 
> > > regards,
> > > dan carpenter
> > 
> > 
> > My bad. I read 'struct scatterlist sgl' (without the *)
> > Thanks for the follow-up, Dan.
> > 
> > Doesn't smatch catch such mismatch?
> > (I've not run smatch for a while, so it is maybe reported)
> 
> That's why I was investigating it, because Smatch didn't catch it.
> 
> Smatch would have warned if it led to memory corruption.  Smatch also
> tries to detect struct mismatches as a separate check but for some
> reason it missed it.  I'm not totally sure why yet.  I suspect that it's
> a complicated internal reason where Sparse is the sizeof to a normal

s/is/changes/

> number...  It's a known issue and hard to fix.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ