lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20220319202526.hlkrfxdod5mmkvp4@dev0025.ash9.facebook.com>
Date:   Sat, 19 Mar 2022 13:25:26 -0700
From:   David Vernet <void@...ifault.com>
To:     trix@...hat.com
Cc:     jpoimboe@...hat.com, jikos@...nel.org, mbenes@...e.cz,
        pmladek@...e.com, joe.lawrence@...hat.com, nathan@...nel.org,
        ndesaulniers@...gle.com, live-patching@...r.kernel.org,
        linux-kernel@...r.kernel.org, llvm@...ts.linux.dev
Subject: Re: [PATCH] livepatch: Reorder to use before freeing a pointer

On Sat, Mar 19, 2022 at 09:51:59AM -0700, trix@...hat.com wrote:
> From: Tom Rix <trix@...hat.com>
> 
> Clang static analysis reports this issue
> livepatch-shadow-fix1.c:113:2: warning: Use of
>   memory after it is freed
>   pr_info("%s: dummy @ %p, prevented leak @ %p\n",
>   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> The pointer is freed in the previous statement.
> Reorder the pr_info to report before the free.
> 
> Signed-off-by: Tom Rix <trix@...hat.com>
> ---
>  samples/livepatch/livepatch-shadow-fix1.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/samples/livepatch/livepatch-shadow-fix1.c b/samples/livepatch/livepatch-shadow-fix1.c
> index 918ce17b43fda..6701641bf12d4 100644
> --- a/samples/livepatch/livepatch-shadow-fix1.c
> +++ b/samples/livepatch/livepatch-shadow-fix1.c
> @@ -109,9 +109,9 @@ static void livepatch_fix1_dummy_leak_dtor(void *obj, void *shadow_data)
>  	void *d = obj;
>  	int **shadow_leak = shadow_data;
>  
> -	kfree(*shadow_leak);
>  	pr_info("%s: dummy @ %p, prevented leak @ %p\n",
>  			 __func__, d, *shadow_leak);
> +	kfree(*shadow_leak);
>  }
>  
>  static void livepatch_fix1_dummy_free(struct dummy *d)
> -- 
> 2.26.3
> 

The fix looks good, though it looks like there is also a similar
use-after-free in livepatch_fix2_dummy_leak_dtor() in
livepatch-shadow-fix2.c. Could you please also fix that as part of this
patch?

Thanks,
David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ