lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 27 Jun 2022 19:18:00 +0800
From:   Katrin Jo <zys.zljxml@...il.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        David Miller <davem@...emloft.net>,
        Eric Dumazet <eric.dumazet@...il.com>,
        Paolo Abeni <pabeni@...hat.com>,
        katrinzhou <katrinzhou@...cent.com>
Subject: Re: [PATCH v2] ipv6/sit: fix ipip6_tunnel_get_prl when memory
 allocation fails

On Mon, Jun 27, 2022 at 5:01 PM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Sat, Jun 25, 2022 at 7:45 AM <zys.zljxml@...il.com> wrote:
> >
> > From: katrinzhou <katrinzhou@...cent.com>
> >
> > Fix an illegal copy_to_user() attempt when the system fails to
> > allocate memory for prl due to a lack of memory.
>
> I do not really see an illegal copy_to_user()
>
> c = 0
> -> len = 0
>
> if ((len && copy_to_user(a + 1, kp, len)) || put_user(len, &a->datalen))
>
> So the copy_to_user() should not be called ?
>
> I think you should only mention that after this patch, correct error
> code is returned (-ENOMEM)
>
>
> >
> > Addresses-Coverity: ("Unused value")
> > Fixes: 300aaeeaab5f ("[IPV6] SIT: Add SIOCGETPRL ioctl to get/dump PRL.")
> > Signed-off-by: katrinzhou <katrinzhou@...cent.com>
> > ---
> >
> > Changes in v2:
> > - Move the position of label "out"
> >
> >  net/ipv6/sit.c | 7 +++----
> >  1 file changed, 3 insertions(+), 4 deletions(-)
> >
> > diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> > index c0b138c20992..3330882c0f94 100644
> > --- a/net/ipv6/sit.c
> > +++ b/net/ipv6/sit.c
> > @@ -323,8 +323,6 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> >                 kcalloc(cmax, sizeof(*kp), GFP_KERNEL_ACCOUNT | __GFP_NOWARN) :
> >                 NULL;
> >
> > -       rcu_read_lock();
> > -
> >         ca = min(t->prl_count, cmax);
> >
> >         if (!kp) {
> > @@ -342,6 +340,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> >         }
> >
> >         c = 0;
> > +       rcu_read_lock();
> >         for_each_prl_rcu(t->prl) {
> >                 if (c >= cmax)
> >                         break;
> > @@ -353,7 +352,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> >                 if (kprl.addr != htonl(INADDR_ANY))
> >                         break;
> >         }
> > -out:
> > +
> >         rcu_read_unlock();
> >
> >         len = sizeof(*kp) * c;
> > @@ -362,7 +361,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ip_tunnel_prl __u
> >                 ret = -EFAULT;
> >
> >         kfree(kp);
> > -
> > +out:
> >         return ret;
> >  }
> >
> > --
> > 2.27.0
> >

Thanks for pointing that out. I will modify the message in the next
version of the patch.
And, could c = 0 (line 344) be removed? It is initialized at the beginning.
I think it is a cleanup work.

Best Regards,
Katrin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ