lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 27 Jul 2018 17:39:04 +0200
From:   Dominique Martinet <asmadeus@...ewreck.org>
To:     Tomas Bortoli <tomasbortoli@...il.com>
Cc:     davem@...emloft.net, v9fs-developer@...ts.sourceforge.net,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller@...glegroups.com
Subject: Re: [PATCH] 9p: fix multiple NULL-pointer-dereferences

Tomas Bortoli wrote on Fri, Jul 27, 2018:
> Added checks to prevent GPFs from raising.
> 
> Signed-off-by: Tomas Bortoli <tomasbortoli@...il.com>
> Reported-by: syzbot+1a262da37d3bead15c39@...kaller.appspotmail.com

LGTM, I'll take this. Thanks!

Just a note for future patchs that have multiple versions, it's usually
good to write in the subject [PATCH v2] (then v3 etc) so we can easily
tell it's a new version.
If the thread isn't too long I'd also recommend considering setting a
reply-to to the previous patch so we can easily compare versions/write
off old patches.

> ---
>  net/9p/trans_fd.c     | 5 ++++-
>  net/9p/trans_rdma.c   | 3 +++
>  net/9p/trans_virtio.c | 3 +++
>  net/9p/trans_xen.c    | 3 +++
>  4 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> index 964260265b13..e2ef3c782c53 100644
> --- a/net/9p/trans_fd.c
> +++ b/net/9p/trans_fd.c
> @@ -945,7 +945,7 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args)
>  	if (err < 0)
>  		return err;
>  
> -	if (valid_ipaddr4(addr) < 0)
> +	if (addr == NULL || valid_ipaddr4(addr) < 0)
>  		return -EINVAL;
>  
>  	csocket = NULL;
> @@ -995,6 +995,9 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
>  
>  	csocket = NULL;
>  
> +	if (addr == NULL)
> +		return -EINVAL;
> +
>  	if (strlen(addr) >= UNIX_PATH_MAX) {
>  		pr_err("%s (%d): address too long: %s\n",
>  		       __func__, task_pid_nr(current), addr);
> diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
> index 2649b2ebf961..2ab4574183c9 100644
> --- a/net/9p/trans_rdma.c
> +++ b/net/9p/trans_rdma.c
> @@ -645,6 +645,9 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args)
>  	struct rdma_conn_param conn_param;
>  	struct ib_qp_init_attr qp_attr;
>  
> +	if (addr == NULL)
> +		return -EINVAL;
> +
>  	/* Parse the transport specific mount options */
>  	err = parse_opts(args, &opts);
>  	if (err < 0)
> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
> index 06dcd3cc6a29..8ca356eb66bb 100644
> --- a/net/9p/trans_virtio.c
> +++ b/net/9p/trans_virtio.c
> @@ -654,6 +654,9 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args)
>  	int ret = -ENOENT;
>  	int found = 0;
>  
> +	if (devname == NULL)
> +		return -EINVAL;
> +
>  	mutex_lock(&virtio_9p_lock);
>  	list_for_each_entry(chan, &virtio_chan_list, chan_list) {
>  		if (!strncmp(devname, chan->tag, chan->tag_len) &&
> diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
> index 2e2b8bca54f3..c2d54ac76bfd 100644
> --- a/net/9p/trans_xen.c
> +++ b/net/9p/trans_xen.c
> @@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_client *client, const char *addr, char *args)
>  {
>  	struct xen_9pfs_front_priv *priv;
>  
> +	if (addr == NULL)
> +		return -EINVAL;
> +
>  	read_lock(&xen_9pfs_lock);
>  	list_for_each_entry(priv, &xen_9pfs_devs, list) {
>  		if (!strcmp(priv->tag, addr)) {

-- 
Dominique Martinet

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ