lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230919-deeskalation-hinsehen-3b6765180d71@brauner>
Date:   Tue, 19 Sep 2023 16:16:07 +0200
From:   Christian Brauner <brauner@...nel.org>
To:     Max Kellermann <max.kellermann@...os.com>
Cc:     Alexander Viro <viro@...iv.linux.org.uk>,
        "Matthew Wilcox (Oracle)" <willy@...radead.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Hugh Dickins <hughd@...gle.com>, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH] pipe_fs_i.h: add pipe_buf_init()

On Tue, Sep 19, 2023 at 03:55:36PM +0200, Max Kellermann wrote:
> On Tue, Sep 19, 2023 at 3:45 PM Christian Brauner <brauner@...nel.org> wrote:
> > So pipe_buf->private may now contain garbage.
> 
> NULL is just as garbage as the other 2^64-1 possible pointer values.
> NULL isn't special here, nobody checks the field for NULL. This field

You're changing how the code currently works which is written in a way
that ensures all fields are initialized to zero. The fact that currently
nothing looks at private is irrelevant.

Following your argument below this might very easily be the cause for
another CVE when something starts looking at this.

Wouldn't it make more sense to have the pipe_buf_init() initialize the
whole thing and for the place where it leaves buf->private untouched you
can just do:

unsigned long private = buf->private
pipe_buf_init(buf, page, 0, 0, &anon_pipe_buf_ops,
	      PIPE_BUF_FLAG_CAN_MERGE, private)

So just use a compound initializer in pipe_buf_init() just like we do in
copy_clone_args_from_user()?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ