| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <vbfmutw2f9u.fsf@reg-r-vrt-018-180.mtr.labs.mlnx>
Date: Thu, 09 Aug 2018 10:03:09 +0300
From: Vlad Buslov <vladbu@...lanox.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Jamal Hadi Salim <jhs@...atatu.com>,
Jiri Pirko <jiri@...nulli.us>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Yevgeny Kliteynik <kliteyn@...lanox.com>
Subject: Re: [PATCH net-next v6 11/11] net: sched: change action API to use array of pointers to actions
On Wed 08 Aug 2018 at 18:29, Cong Wang <xiyou.wangcong@...il.com> wrote:
> On Wed, Aug 8, 2018 at 4:41 AM Vlad Buslov <vladbu@...lanox.com> wrote:
>>
>>
>> On Tue 07 Aug 2018 at 23:26, Cong Wang <xiyou.wangcong@...il.com> wrote:
>> > On Thu, Jul 5, 2018 at 7:24 AM Vlad Buslov <vladbu@...lanox.com> wrote:
>> >> attr_size = tcf_action_full_attrs_size(attr_size);
>> >>
>> >> if (event == RTM_GETACTION)
>> >> - ret = tcf_get_notify(net, portid, n, &actions, event, extack);
>> >> + ret = tcf_get_notify(net, portid, n, actions, event, extack);
>> >> else { /* delete */
>> >> - ret = tcf_del_notify(net, n, &actions, portid, attr_size, extack);
>> >> + ret = tcf_del_notify(net, n, actions, &acts_deleted, portid,
>> >> + attr_size, extack);
>> >> if (ret)
>> >> goto err;
>> >> return ret;
>> >> }
>> >> err:
>> >> - tcf_action_put_lst(&actions);
>> >> + tcf_action_put_many(&actions[acts_deleted]);
>> >> return ret;
>> >
>> > How does this even work?
>> >
>> > You save an index in 'acts_deleted', but you pass &actions[acts_deleted]
>> > to tcf_action_put_many(), which seems you want to start from
>> > where it fails, but inside tcf_action_put_many() it starts from 0
>> > to TCA_ACT_MAX_PRIO, out-of-bound access at least?
>>
>> Actions array is declared to be TCA_ACT_MAX_PRIO+1 in size, and
>
>
> Declaration doesn't matter at all, functions see it as a pure pointer
> once you pass it as an argument.
>
>
>> initialized to NULL pointers. In loop inside tcf_action_put_many() there
>> are two checks: One is that index is less than TCA_ACT_MAX_PRIO and
>> another one that pointer is not NULL. In this case I rely on extra NULL
>> pointer at the end of actions array to prevent out-of-bound access.
>
> True, but you pass &actions[acts_deleted] as the start of the array,
> so inside it would be:
>
> &actions[acts_deleted][0]...&actions[acts_deleted][MAX_PRIO]
>
> So, the overall of the result is:
>
> actions[acts_deleted]...actions[acts_deleted + MAX_PRIO]
>
> You have out-of-bound access when acts_deleted > 1.
>
> And if acts_deleted == MAX_PRIO-1, then you don't have any
> NULL pointer to rely on.
Lets look at the loop inside tcf_action_put_many():
for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) {
struct tc_action *a = actions[i];
const struct tc_action_ops *ops = a->ops;
if (tcf_action_put(a))
module_put(ops->owner);
}
In the case you highlighted I rely on second conditional - pointer to
action in array is not NULL. As I already explained in my previous
email, by making initial array TCA_ACT_MAX_PRIO+1 in size I ensure that
there is always a NULL pointer at the end of sequence of actions pointed
by 'actions' pointer/array.
Powered by blists - more mailing lists