lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAM9d7ciWOWbR52HyEG-imv1rhctbuY+QaOdkuhRYvDoc+_J9pA@mail.gmail.com>
Date:   Sat, 1 Jul 2023 11:37:27 -0700
From:   Namhyung Kim <namhyung@...nel.org>
To:     Ian Rogers <irogers@...gle.com>
Cc:     Arnaldo Carvalho de Melo <acme@...hat.com>,
        Chenyuan Mi <cymi20@...an.edu.cn>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1] lib subcmd: Avoid use-after-free when no commands are excluded

On Mon, Jun 26, 2023 at 3:22 PM Ian Rogers <irogers@...gle.com> wrote:
>
> The array shortening may be an unnecessary array copy. Before commit
> 657a3efee43a ("lib subcmd: Avoid memory leak in exclude_cmds") this
> was benign, but afterwards this could lead to a segv.
>
> Fixes: 657a3efee43a ("lib subcmd: Avoid memory leak in exclude_cmds")
> Signed-off-by: Ian Rogers <irogers@...gle.com>
> ---
>  tools/lib/subcmd/help.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/tools/lib/subcmd/help.c b/tools/lib/subcmd/help.c
> index 67a8d6b740ea..b59ca17e406d 100644
> --- a/tools/lib/subcmd/help.c
> +++ b/tools/lib/subcmd/help.c
> @@ -77,10 +77,11 @@ void exclude_cmds(struct cmdnames *cmds, struct cmdnames *excludes)
>                         ei++;
>                 }
>         }
> -
> -       while (ci < cmds->cnt) {
> -               zfree(&cmds->names[cj]);
> -               cmds->names[cj++] = cmds->names[ci++];
> +       if (ci != cj) {
> +               while (ci < cmds->cnt) {
> +                       zfree(&cmds->names[cj]);
> +                       cmds->names[cj++] = cmds->names[ci++];

I'm not sure I'm following the logic in this function well
but it seems we also need to check the same thing
in the above loop - if (cmp < 0).

Thanks,
Namhyung


> +               }
>         }
>         for (ci = cj; ci < cmds->cnt; ci++)
>                 zfree(&cmds->names[ci]);
> --
> 2.41.0.162.gfafddb0af9-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ