lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <beac131a-6c8c-4ed7-8714-416c57ea0fbb@linux.ibm.com>
Date: Tue, 25 Jun 2024 11:09:20 +0200
From: Alexandra Winter <wintera@...ux.ibm.com>
To: yskelg@...il.com, Thorsten Winkler <twinkler@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Markus Elfring <Markus.Elfring@....de>
Cc: MichelleJin <shjy180909@...il.com>, linux-s390@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] s390/netiucv: handle memory allocation failure in
 conn_action_start()



On 25.06.24 04:48, yskelg@...il.com wrote:
> From: Yunseong Kim <yskelg@...il.com>

Thank you very much Yunseong, for finding and reporting this potential 
null-pointer dereference.
And thank you Markus Elfring for your valuable comments.

> 
> A null pointer is stored in the data structure member "path" after a call
> of the function "iucv_path_alloc" failed. This pointer was passed to
> a subsequent call of the function "iucv_path_connect" where an undesirable
> dereference will be performed then. Thus add a corresponding return value
> check. This prevent null pointer dereferenced kernel panic when memory
> exhausted situation with the netiucv driver operating as an FSM state
> in "conn_action_start".

I would prefer an even shorter commit message. Allocating memory
without checking for failure is a common error pattern, I think.

> 
> Fixes: eebce3856737 ("[S390]: Adapt netiucv driver to new IUCV API")
> Cc: linux-s390@...r.kernel.org
> Signed-off-by: Yunseong Kim <yskelg@...il.com>
> ---
>  drivers/s390/net/netiucv.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/s390/net/netiucv.c b/drivers/s390/net/netiucv.c
> index 039e18d46f76..d3ae78c0240f 100644
> --- a/drivers/s390/net/netiucv.c
> +++ b/drivers/s390/net/netiucv.c
> @@ -855,6 +855,9 @@ static void conn_action_start(fsm_instance *fi, int event, void *arg)
>  
>  	fsm_newstate(fi, CONN_STATE_SETUPWAIT);
>  	conn->path = iucv_path_alloc(NETIUCV_QUEUELEN_DEFAULT, 0, GFP_KERNEL);
> +	if (!conn->path)
> +		return;
> +


On 25.06.24 09:24, Markus Elfring wrote:
> 
> Would the following statement variant become more appropriate here?
> 
> +		return -ENOMEM;

conn_action_start(), like the other fsm functions, does not have a return value.
But simply returning will not prevent the next fsm function from trying to use
conn->path.

So I think you need to do
fsm_newstate(fi, CONN_STATE_CONNERR);
before you return.

You could use rc = -ENOMEM and a goto to the IUCV_DBF_TEXT_ debug message,
if you want to. But I am not too concerned about the details of error handling:
If your memory is so scarce that you cannot even allocate a handful of bytes,
then you should be seeing warnings all over the place.















Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ