[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YH4Aa1zFAWkITsNK@zeniv-ca.linux.org.uk>
Date: Mon, 19 Apr 2021 22:12:59 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Aditya Pakki <pakki001@....edu>
Cc: Santosh Shilimkar <santosh.shilimkar@...cle.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
linux-rdma@...r.kernel.org, rds-devel@....oracle.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/rds: Avoid potential use after free in
rds_send_remove_from_sock
On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:
> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
> unlock_and_drop:
> spin_unlock_irqrestore(&rm->m_rs_lock, flags);
> rds_message_put(rm);
> - if (was_on_sock)
> + if (was_on_sock && rm)
> rds_message_put(rm);
Look at the code immediately prior to the site of your "fix".
Think for a second what will happen if we *could* get there with rm
equal to NULL (with your patch applied, that is). Now, try to construct
the sequence of events that would lead to that situation. Either you
will arrive at a real bug (in which case your fix does not actually
fix anything) *OR* you will get closer to realization that "defensive
programming" tends to be worthless garbage. In both case the result
would be useful...
Incidentally, locate the place where that variable is
last modified and find the precondition required for rm == NULL
downstream of that.
Plainly put, the patch demonstrates either complete lack of
understanding or somebody not acting in good faith. If it's the latter[1],
may I suggest the esteemed sociologists to fuck off and stop
testing the reviewers with deliberately spewed excrements?
[1] https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Powered by blists - more mailing lists