lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 19 Jan 2020 20:31:02 +0900
From:   Taehee Yoo <ap420073@...il.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     kbuild@...ts.01.org, kbuild-all@...ts.01.org,
        David Miller <davem@...emloft.net>,
        Jakub Kicinski <jakub.kicinski@...ronome.com>,
        Netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net 4/5] netdevsim: use IS_ERR instead of IS_ERR_OR_NULL
 for debugfs

On Fri, 17 Jan 2020 at 12:36, Dan Carpenter <dan.carpenter@...cle.com> wrote:
>

Hi Dan,

> Hi Taehee,
>
> url:    https://github.com/0day-ci/linux/commits/Taehee-Yoo/netdevsim-fix-a-several-bugs-in-netdevsim-module/20200112-004546
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git a5c3a7c0ce1a1cfab15404018933775d7222a517
>
> If you fix the issue, kindly add following tag
> Reported-by: kbuild test robot <lkp@...el.com>
> Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
>
> smatch warnings:
> drivers/net/netdevsim/bpf.c:246 nsim_bpf_create_prog() error: dereferencing freed memory 'state'
>
> # https://github.com/0day-ci/linux/commit/923e31529b0b3f039f837f54c4a1bbd77793256b
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 923e31529b0b3f039f837f54c4a1bbd77793256b
> vim +/state +246 drivers/net/netdevsim/bpf.c
>
> d514f41e793d2c Jiri Pirko     2019-04-25  227  static int nsim_bpf_create_prog(struct nsim_dev *nsim_dev,
> b26b6946a62f37 Jiri Pirko     2019-04-12  228                           struct bpf_prog *prog)
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  229  {
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  230   struct nsim_bpf_bound_prog *state;
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  231   char name[16];
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  232
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  233   state = kzalloc(sizeof(*state), GFP_KERNEL);
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  234   if (!state)
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  235           return -ENOMEM;
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  236
> d514f41e793d2c Jiri Pirko     2019-04-25  237   state->nsim_dev = nsim_dev;
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  238   state->prog = prog;
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  239   state->state = "verify";
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  240
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  241   /* Program id is not populated yet when we create the state. */
> d514f41e793d2c Jiri Pirko     2019-04-25  242   sprintf(name, "%u", nsim_dev->prog_id_gen++);
> d514f41e793d2c Jiri Pirko     2019-04-25  243   state->ddir = debugfs_create_dir(name, nsim_dev->ddir_bpf_bound_progs);
> 923e31529b0b3f Taehee Yoo     2020-01-11  244   if (IS_ERR(state->ddir)) {
> 31d3ad832948c7 Jakub Kicinski 2017-12-01  245           kfree(state);
>                                                               ^^^^^
> state is freed.
>
> 923e31529b0b3f Taehee Yoo     2020-01-11 @246           return PTR_ERR(state->ddir);
>                                                                        ^^^^^^^^^^^
> Then dereferenced afterward.
>

Thank you for catching this bug.
I will fix this.

Thank you!
Taehee Yoo

Powered by blists - more mailing lists