lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 6 Jun 2022 15:10:44 +0100
From:   "Colin King (gmail)" <colin.i.king@...il.com>
To:     Shiyang Ruan <ruansy.fnst@...itsu.com>
Cc:     Alexander Viro <viro@...iv.linux.org.uk>,
        Dan Williams <dan.j.williams@...el.com>,
        Matthew Wilcox <willy@...radead.org>, Jan Kara <jack@...e.cz>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        nvdimm@...ts.linux.dev,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: fsdax: output address in dax_iomap_pfn() and rename it

Hi,

Static analysis with clang scan-build found a potential issue with the 
following commit in linux-next today:

commit 1447ac26a96463a05ad9f5cfba7eef43d52913ef
Author: Shiyang Ruan <ruansy.fnst@...itsu.com>
Date:   Fri Jun 3 13:37:32 2022 +0800

     fsdax: output address in dax_iomap_pfn() and rename it


The analysis is as follows:


static int dax_iomap_direct_access(const struct iomap *iomap, loff_t pos,
                 size_t size, void **kaddr, pfn_t *pfnp)
{
         pgoff_t pgoff = dax_iomap_pgoff(iomap, pos);
         int id, rc;
         long length;

         id = dax_read_lock();
         length = dax_direct_access(iomap->dax_dev, pgoff, PHYS_PFN(size),
                                    DAX_ACCESS, kaddr, pfnp);
         if (length < 0) {
                 rc = length;
                 goto out;
         }
         if (!pfnp)
                 goto out_check_addr;

The above check jumps to out_check_addr, if kaddr is null then rc is not 
set and a garbage uninitialized value for rc is returned on the out path.


         rc = -EINVAL;
         if (PFN_PHYS(length) < size)
                 goto out;
         if (pfn_t_to_pfn(*pfnp) & (PHYS_PFN(size)-1))
                 goto out;
         /* For larger pages we need devmap */
         if (length > 1 && !pfn_t_devmap(*pfnp))
                 goto out;
         rc = 0;

out_check_addr:
         if (!kaddr)
                 goto out;
         if (!*kaddr)
                 rc = -EFAULT;
out:
         dax_read_unlock(id);
         return rc;
}


Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ