lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 8 Apr 2021 11:24:45 -0400
From:   Olga Kornievskaia <aglo@...ch.edu>
To:     Trond Myklebust <trondmy@...merspace.com>
Cc:     "pakki001@....edu" <pakki001@....edu>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "chuck.lever@...cle.com" <chuck.lever@...cle.com>,
        "dwysocha@...hat.com" <dwysocha@...hat.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "bfields@...ldses.org" <bfields@...ldses.org>,
        "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
        "anna.schumaker@...app.com" <anna.schumaker@...app.com>
Subject: Re: [PATCH] SUNRPC: Add a check for gss_release_msg

On Thu, Apr 8, 2021 at 11:01 AM Trond Myklebust <trondmy@...merspace.com> wrote:
>
> On Tue, 2021-04-06 at 19:16 -0500, Aditya Pakki wrote:
> > In gss_pipe_destroy_msg(), in case of error in msg, gss_release_msg
> > deletes gss_msg. The patch adds a check to avoid a potential double
> > free.
> >
> > Signed-off-by: Aditya Pakki <pakki001@....edu>
> > ---
> >  net/sunrpc/auth_gss/auth_gss.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/sunrpc/auth_gss/auth_gss.c
> > b/net/sunrpc/auth_gss/auth_gss.c
> > index 5f42aa5fc612..eb52eebb3923 100644
> > --- a/net/sunrpc/auth_gss/auth_gss.c
> > +++ b/net/sunrpc/auth_gss/auth_gss.c
> > @@ -848,7 +848,8 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
> >                         warn_gssd();
> >                 gss_release_msg(gss_msg);
> >         }
> > -       gss_release_msg(gss_msg);
> > +       if (gss_msg)
> > +               gss_release_msg(gss_msg);
> >  }
> >
> >  static void gss_pipe_dentry_destroy(struct dentry *dir,
>
>
> NACK. There's no double free there.

I disagree that there is no double free, the wording of the commit
describes the problem in the error case is that we call
gss_release_msg() and then we call it again but the 1st one released
the gss_msg. However, I think the fix should probably be instead:
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 5f42aa5fc612..e8aae617e981 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -846,7 +846,7 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
                gss_unhash_msg(gss_msg);
                if (msg->errno == -ETIMEDOUT)
                        warn_gssd();
-               gss_release_msg(gss_msg);
+               return gss_release_msg(gss_msg);
        }
        gss_release_msg(gss_msg);
 }

>
> --
> Trond Myklebust
> Linux NFS client maintainer, Hammerspace
> trond.myklebust@...merspace.com
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ