lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.21.2107261357210.10122@sstabellini-ThinkPad-T480s>
Date:   Mon, 26 Jul 2021 14:30:44 -0700 (PDT)
From:   Stefano Stabellini <sstabellini@...nel.org>
To:     asmadeus@...ewreck.org
cc:     Harshvardhan Jha <harshvardhan.jha@...cle.com>,
        Stefano Stabellini <sstabellini@...nel.org>, ericvh@...il.com,
        lucho@...kov.net, davem@...emloft.net, kuba@...nel.org,
        v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] 9p/xen: Fix end of loop tests for list_for_each_entry

On Mon, 26 Jul 2021, asmadeus@...ewreck.org wrote:
> Harshvardhan Jha wrote on Sun, Jul 25, 2021 at 11:21:03PM +0530:
> > The list_for_each_entry() iterator, "priv" in this code, can never be
> > NULL so the warning would never be printed.
> 
> hm? priv won't be NULL but priv->client won't be client, so it will
> return -EINVAL alright in practice?
> 
> This does fix an invalid read after the list head, so there's a real
> bug, but the commit message needs fixing.

Agreed


> > Signed-off-by: Harshvardhan Jha <harshvardhan.jha@...cle.com>
> > ---
> > From static analysis.  Not tested.
> 
> +Stefano in To - I also can't test xen right now :/
> This looks functional to me but if you have a bit of time to spare just
> a mount test can't hurt.

Yes, I did test it successfully. Aside from the commit messaged to be
reworded:

Reviewed-by: Stefano Stabellini <sstabellini@...nel.org>
Tested-by: Stefano Stabellini <sstabellini@...nel.org>


> > ---
> >  net/9p/trans_xen.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
> > index f4fea28e05da..3ec1a51a6944 100644
> > --- a/net/9p/trans_xen.c
> > +++ b/net/9p/trans_xen.c
> > @@ -138,7 +138,7 @@ static bool p9_xen_write_todo(struct xen_9pfs_dataring *ring, RING_IDX size)
> >  
> >  static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
> >  {
> > -	struct xen_9pfs_front_priv *priv = NULL;
> > +	struct xen_9pfs_front_priv *priv;
> >  	RING_IDX cons, prod, masked_cons, masked_prod;
> >  	unsigned long flags;
> >  	u32 size = p9_req->tc.size;
> > @@ -151,7 +151,7 @@ static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
> >  			break;
> >  	}
> >  	read_unlock(&xen_9pfs_lock);
> > -	if (!priv || priv->client != client)
> > +	if (list_entry_is_head(priv, &xen_9pfs_devs, list))
> >  		return -EINVAL;
> >  
> >  	num = p9_req->tc.tag % priv->num_rings;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ