| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8736cfs73w.fsf@toke.dk> Date: Thu, 16 Jan 2020 17:23:31 +0100 From: Toke Høiland-Jørgensen <toke@...hat.com> To: Florian Westphal <fw@...len.de> Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org Subject: Re: [PATCH net-next] netlink: make getters tolerate NULL nla arg Florian Westphal <fw@...len.de> writes: > Toke Høiland-Jørgensen <toke@...hat.com> wrote: >> Florian Westphal <fw@...len.de> writes: >> >> > One recurring bug pattern triggered by syzbot is NULL dereference in >> > netlink code paths due to a missing "tb[NL_ARG_FOO] != NULL" test. >> > >> > At least some of these missing checks would not have crashed the kernel if >> > the various nla_get_XXX helpers would return 0 in case of missing arg. >> >> Won't this risk just papering over the issue and lead to subtly wrong >> behaviour instead? At least a crash is somewhat visible :) > > How? Its no different than tb[X] being set with a 0 value. I was thinking that at lack of NULL check could also imply a lack of proper bounds checking. And that the crashes at least shine a light on them forcing people to consider whether that is indeed the case? (IDK if that's actually the case, I'm asking :)) -Toke
Powered by blists - more mailing lists