lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 21 Jul 2021 12:44:09 +0800
From:   Dongliang Mu <mudongliangabcd@...il.com>
To:     lyl2019@...l.ustc.edu.cn
Cc:     siglesias@...lia.com, jens.taprogge@...rogge.org,
        Greg KH <gregkh@...uxfoundation.org>,
        industrypack-devel@...ts.sourceforge.net,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: Doubts about Patch "ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe"

On Tue, Jul 20, 2021 at 10:38 PM <lyl2019@...l.ustc.edu.cn> wrote:
>
>
> Hello Dongliang Mu,
>
> >  Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
> > not be freed.
> >
> > #ifdef CONFIG_PCI
> > /* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
> > struct pci_dev;
> > extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
> > #elif defined(CONFIG_GENERIC_IOMAP)
> > struct pci_dev;
> > static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
> > { }
> > #endif
>
> I think only `CONFIG_PCI=n` and `CONFIG_GENERIC_IOMAP=y` cause pci_iounmap an empty
> implementation. Actually, `CONFIG_PCI` is a default option when run `make defconfig`,
> pci_iounmap() usually is acted as an extern function.

I see. From the discussion with other developers, the usage of this
driver needs to enable CONFIG_PCI. So we may not worry about this
point any more.

>
>
> > Even if CONFIG_PCI is undefined, it is possible that
> > tpci200->info->cfg_regs is not freed at all. Therefore, this patch
> > would cause memory leak. Take a look at the following code:
> >
> > void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
> > {
> >         IO_COND(addr, /* nothing */, iounmap(addr));
> > }
>
> Here i am not sure this is the final implementation of pci_iounmap(),
> because pci_iounmap() is re-implementated in many architectures.
> Even so, i observed there still many call-sites of pci_iounmap() have reset
> `the addr = NULL` after calling.
> Can you have some ways to determine the actual implementation of
> pci_iounmap in our cases?

Yeah, that's the problem. I am not highly certain about the
implementation of this function. So if the free is not done, your
previous patch would cause a memory leak.



>
>
> > #define IO_COND(addr, is_pio, is_mmio) do {                     \
> >         unsigned long port = (unsigned long __force)addr;       \
> >         if (port >= PIO_RESERVED) {                             \
> >                 is_mmio;                                        \
> >         } else if (port > PIO_OFFSET) {                         \
> >                 port &= PIO_MASK;                               \
> >                 is_pio;                                         \
> >         } else                                                  \
> >                 bad_io_access(port, #is_pio );                  \
> > } while (0)
> >
>
> Although the above codes is actually called, the addr might be freed
> if `port >= PIO_RESERVED` is true. The double free still existed.

Of course. There exists a path in which the double free occurs.
However, if you directly add this NULL assignment, it will cause a
memory leak in other paths.

I am not suspecting the validation of this patch in defending the
double free. Instead, I agree with this patch, but it may introduce
some other issues, like memory leak.

>
>
>
> If I make any mistakes, please tell me.
> Thanks your report.
> ---
> Lv Yunlong
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ