lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YH4Aa1zFAWkITsNK@zeniv-ca.linux.org.uk>
Date:   Mon, 19 Apr 2021 22:12:59 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Aditya Pakki <pakki001@....edu>
Cc:     Santosh Shilimkar <santosh.shilimkar@...cle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
        linux-rdma@...r.kernel.org, rds-devel@....oracle.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/rds: Avoid potential use after free in
 rds_send_remove_from_sock

On Tue, Apr 06, 2021 at 07:09:12PM -0500, Aditya Pakki wrote:

> --- a/net/rds/send.c
> +++ b/net/rds/send.c
> @@ -665,7 +665,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
>  unlock_and_drop:
>  		spin_unlock_irqrestore(&rm->m_rs_lock, flags);
>  		rds_message_put(rm);
> -		if (was_on_sock)
> +		if (was_on_sock && rm)
>  			rds_message_put(rm);

	Look at the code immediately prior to the site of your "fix".
Think for a second what will happen if we *could* get there with rm
equal to NULL (with your patch applied, that is).  Now, try to construct
the sequence of events that would lead to that situation.  Either you
will arrive at a real bug (in which case your fix does not actually
fix anything) *OR* you will get closer to realization that "defensive
programming" tends to be worthless garbage.  In both case the result
would be useful...

	Incidentally, locate the place where that variable is
last modified and find the precondition required for rm == NULL
downstream of that.

	Plainly put, the patch demonstrates either complete lack of
understanding or somebody not acting in good faith.  If it's the latter[1],
may I suggest the esteemed sociologists to fuck off and stop
testing the reviewers with deliberately spewed excrements?

[1] https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ