lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+55aFy1af43uxH1r=_CxTCgPNN802YA+H26Vbbkb=rknqZuXQ@mail.gmail.com>
Date:	Mon, 10 Aug 2015 09:42:03 -0700
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	David Miller <davem@...emloft.net>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Dan Carpenter <dan.carpenter@...cle.com>
Cc:	Network Development <netdev@...r.kernel.org>
Subject: [FWD] PROBLEM: there exists a wrong return value of function mkiss_open()

I don't know how many people care about hamradio, but the report that
mkiss_open() returns success even when register_netdev() fails seems
entirely true. The email was just not sent to the right people..

                   Linus

On Sun, Aug 9, 2015 at 5:08 PM, RUC_Soft_Sec <zy900702@....com> wrote:
> Summary:
>     there exists a wrong return value of function mkiss_open(). It's a
> theoretical problem. we use static analysis method to detect this bug.
> Bug Description:
>
> In function mkiss_open() at drivers/net/hamradio/mkiss.c:726, the call to
> register_netdev() in line 765 may return a negative error code, and thus
> function mkiss_open() will return the value of variable err. And, the
> function mkiss_open() will return 0 at last when it runs well. However, when
> the call to register_netdev() in line 765 return a negative error code, the
> value of err is 0. So the function mkiss_open() will return 0 to its caller
> functions when it runs error because of the failing call to
> register_netdev(), leading to a wrong return value of function mkiss_open().
> The related code snippets in mkiss_open() is as following.
> mkiss_open @@ drivers/net/hamradio/mkiss.c:726
>  726static int mkiss_open(struct tty_struct *tty)
>  727{
>             ...
>  761        if ((err = ax_open(ax->dev))) {
>  762                goto out_free_netdev;
>  763        }
>  764
>  765        if (register_netdev(dev))
>  766                goto out_free_buffers;
>             ...
>  800out_free_buffers:
>  801        kfree(ax->rbuff);
>  802        kfree(ax->xbuff);
>  803
>  804out_free_netdev:
>  805        free_netdev(dev);
>  806
>  807out:
>  808        return err;
>  809}
>
> Generally, when the call to register_netdev() fails, the return value of
> caller functions should be different from another return value set when the
> call to register_netdev() succeeds, like the following codes in another
> file.
> com90io_found @@ drivers/net/arcnet/com90io.c:234
>  234static int __init com90io_found(struct net_device *dev)
>  235{
>             ...
>  268        err = register_netdev(dev);
>  269        if (err) {
>  270                outb((inb(_CONFIG) & ~IOMAPflag), _CONFIG);
>  271                free_irq(dev->irq, dev);
>  272                release_region(dev->base_addr, ARCNET_TOTAL_SIZE);
>  273                return err;
>  274        }
>  275
>  276        BUGMSG(D_NORMAL, "COM90IO: station %02Xh found at %03lXh, IRQ
> %d.\n",
>  277               dev->dev_addr[0], dev->base_addr, dev->irq);
>  278
>  279        return 0;
>  280}
>
> Kernel version:
>     3.19.1
>
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ