lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4ca00dee-86b2-56b0-423a-76ef28260385@amd.com>
Date:   Sun, 3 Apr 2022 17:05:30 +0200
From:   Christian König <christian.koenig@....com>
To:     Pavel Skripkin <paskripkin@...il.com>, sumit.semwal@...aro.org,
        gustavo@...ovan.org, daniel.vetter@...ll.ch
Cc:     linux-media@...r.kernel.org, dri-devel@...ts.freedesktop.org,
        linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH next v2] dma-buf/sync-file: do not allow zero size
 allocation

Am 01.04.22 um 23:31 schrieb Pavel Skripkin:
> num_fences is user-controlled value and it can be equal to 0. Code
> should not pass 0 to kcalloc(), since it will cause kcalloc() to return
> ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic
> because of dereferencing ZERO_PTR in add_fence()
>
> Fix it by validating num_fences and bail out early if it is equal to 0

Well there are multiple issues with this patch. First of all as I wrote 
before it shouldn't be possible that num_fences is zero.

We could still just add this as a precaution, but then bailing out is 
the wrong thing to do here. Instead we should then make sure to allocate 
at least one slot for a fence in the array.

But I think the cleanest would just be to not add a fence into the array 
in the first place when num_fences is zero.

Regards,
Christian.

>
> Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers")
> Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
> ---
>
> Changes since v1:
> 	- Dropped already merged part
> 	- Removed syzkaller's tag
>
> ---
>   drivers/dma-buf/sync_file.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
> index b8dea4ec123b..024f22193e0c 100644
> --- a/drivers/dma-buf/sync_file.c
> +++ b/drivers/dma-buf/sync_file.c
> @@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
>   	dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence)
>   		++num_fences;
>   
> -	if (num_fences > INT_MAX)
> +	if (num_fences > INT_MAX || !num_fences)
>   		goto err_free_sync_file;
>   
>   	fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ