| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c4496c05-8482-4344-8641-083050ecb6c6@lucifer.local>
Date: Tue, 17 Jun 2025 09:51:43 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: David Hildenbrand <david@...hat.com>
Cc: Lance Yang <ioworker0@...il.com>, akpm@...ux-foundation.org,
21cnbao@...il.com, Liam.Howlett@...cle.com, vbabka@...e.cz,
jannh@...gle.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org,
Lance Yang <lance.yang@...ux.dev>
Subject: Re: [PATCH 1/1] mm/madvise: initialize prev pointer in
madvise_walk_vmas
On Tue, Jun 17, 2025 at 09:43:06AM +0100, Lorenzo Stoakes wrote:
> On Tue, Jun 17, 2025 at 09:54:29AM +0200, David Hildenbrand wrote:
> > On 17.06.25 04:05, Lance Yang wrote:
> > > From: Lance Yang <lance.yang@...ux.dev>
> > >
> > > The prev pointer was uninitialized, which could lead to undefined behavior
> > > where its address is taken and passed to the visit() callback without being
> > > assigned a value.
> >
> > So, we are passing the pointer value to visit(), which is not undefined
> > behavior.
> >
> > The issue would be if anybody takes a look at the value stored at that
> > pointer. Because, already passing an uninitialized value to a (non-inlined)
> > function is undefined behavior according to C.
> >
> > In madvise_update_vma()->vma_modify_flags_name() we do exactly that,
> > correct?
> >
> > vma = vma_modify_flags_name(&vmi, *prev, ...
> >
> > We should use Fixes: then.
>
> A note if people were hoping to blame 94d7d9233951, well before that patch we
> had:
>
> - *prev = vma_merge(&vmi, mm, *prev, start, end, new_flags,
> - vma->anon_vma, vma->vm_file, pgoff, vma_policy(vma),
> - vma->vm_userfaultfd_ctx, anon_name);
>
> Note the *prev...
Oops I didn't mean to send this one ;)
>
> >
> >
> > Acked-by: David Hildenbrand <david@...hat.com>
> >
> > >
> > > Initializing it to NULL makes the code safer and prevents potential bugs
> > > if a future callback function attempts to read from it.
> > >
> > > Signed-off-by: Lance Yang <lance.yang@...ux.dev>
> > > ---
> > > mm/madvise.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/mm/madvise.c b/mm/madvise.c
> > > index 267d8e4adf31..c87325000303 100644
> > > --- a/mm/madvise.c
> > > +++ b/mm/madvise.c
> > > @@ -1536,10 +1536,10 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start,
> > > struct vm_area_struct **prev, unsigned long start,
> > > unsigned long end, void *arg))
> > > {
> > > + struct vm_area_struct *prev = NULL;
> > > struct vm_area_struct *vma;
> > > - struct vm_area_struct *prev;
> > > - unsigned long tmp;
> > > int unmapped_error = 0;
> > > + unsigned long tmp;
> > > int error;
> > > /*
> >
> >
> > --
> > Cheers,
> >
> > David / dhildenb
> >
Powered by blists - more mailing lists