| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Aug 2022 16:00:54 +0200
From: Juergen Gross <jgross@...e.com>
To: Jan Beulich <jbeulich@...e.com>,
Rustam Subkhankulov <subkhankulov@...ras.ru>
Cc: Stefano Stabellini <sstabellini@...nel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
ldv-project@...uxtesting.org
Subject: Re: [POSSIBLE BUG] Dereferencing of NULL pointer
On 24.08.22 15:59, Jan Beulich wrote:
> On 20.08.2022 19:30, Rustam Subkhankulov wrote:
>> Version: 6.0-rc1
>>
>> Description:
>>
>> In function 'privcmd_ioctl_dm_op' (drivers/xen/privcmd.c: 615)return
>> value of 'kcalloc' with GFP_KERNEL flag is assigned to "pages"
>> variable. GFP_KERNEL flag does not guarantee, that the return value
>> will not be NULL. In that case, there is a jump to the "out" label.
>
> The problem is wider than that, because earlier errors would also
> lead to "out" (e.g. after copy_from_user() failed). Plus I guess
> unlock_pages() shouldn't be called at all (or with its 2nd arg set
> to zero) before lock_pages() was actually called. But I agree with
> the further analysis below. Would you mind sending a patch?
Just started writing it. :-)
Juergen
Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3099 bytes)
Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists