| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jul 2021 03:53:37 +0530
From: Harshvardhan Jha <harshvardhan.jha@...cle.com>
To: Stefano Stabellini <sstabellini@...nel.org>, asmadeus@...ewreck.org
Cc: ericvh@...il.com, lucho@...kov.net, davem@...emloft.net,
kuba@...nel.org, v9fs-developer@...ts.sourceforge.net,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [External] : Re: [PATCH] 9p/xen: Fix end of loop tests for
list_for_each_entry
On 27/07/21 3:00 am, Stefano Stabellini wrote:
> On Mon, 26 Jul 2021, asmadeus@...ewreck.org wrote:
>> Harshvardhan Jha wrote on Sun, Jul 25, 2021 at 11:21:03PM +0530:
>>> The list_for_each_entry() iterator, "priv" in this code, can never be
>>> NULL so the warning would never be printed.
>>
>> hm? priv won't be NULL but priv->client won't be client, so it will
>> return -EINVAL alright in practice?
>>
>> This does fix an invalid read after the list head, so there's a real
>> bug, but the commit message needs fixing.
>
> Agreed
>
>
>>> Signed-off-by: Harshvardhan Jha <harshvardhan.jha@...cle.com>
>>> ---
>>> From static analysis. Not tested.
>>
>> +Stefano in To - I also can't test xen right now :/
>> This looks functional to me but if you have a bit of time to spare just
>> a mount test can't hurt.
>
> Yes, I did test it successfully. Aside from the commit messaged to be
> reworded:
How's this?
===========================BEGIN========================================
9p/xen: Fix end of loop tests for list_for_each_entry
This patch addresses the following problems:
- priv can never be NULL, so this part of the check is useless
- if the loop ran through the whole list, priv->client is invalid and
it is more appropriate and sufficient to check for the end of
list_for_each_entry loop condition.
Signed-off-by: Harshvardhan Jha <harshvardhan.jha@...cle.com>
---
From static analysis. Not tested.
===========================END==========================================
>
> Reviewed-by: Stefano Stabellini <sstabellini@...nel.org>
> Tested-by: Stefano Stabellini <sstabellini@...nel.org>
>
>
>>> ---
>>> net/9p/trans_xen.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
>>> index f4fea28e05da..3ec1a51a6944 100644
>>> --- a/net/9p/trans_xen.c
>>> +++ b/net/9p/trans_xen.c
>>> @@ -138,7 +138,7 @@ static bool p9_xen_write_todo(struct xen_9pfs_dataring *ring, RING_IDX size)
>>>
>>> static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
>>> {
>>> - struct xen_9pfs_front_priv *priv = NULL;
>>> + struct xen_9pfs_front_priv *priv;
>>> RING_IDX cons, prod, masked_cons, masked_prod;
>>> unsigned long flags;
>>> u32 size = p9_req->tc.size;
>>> @@ -151,7 +151,7 @@ static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
>>> break;
>>> }
>>> read_unlock(&xen_9pfs_lock);
>>> - if (!priv || priv->client != client)
>>> + if (list_entry_is_head(priv, &xen_9pfs_devs, list))
>>> return -EINVAL;
>>>
>>> num = p9_req->tc.tag % priv->num_rings;
Powered by blists - more mailing lists