lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d956e0f2-546e-ddfd-86eb-9afb8549b40d@oracle.com>
Date:   Tue, 27 Jul 2021 03:53:37 +0530
From:   Harshvardhan Jha <harshvardhan.jha@...cle.com>
To:     Stefano Stabellini <sstabellini@...nel.org>, asmadeus@...ewreck.org
Cc:     ericvh@...il.com, lucho@...kov.net, davem@...emloft.net,
        kuba@...nel.org, v9fs-developer@...ts.sourceforge.net,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [External] : Re: [PATCH] 9p/xen: Fix end of loop tests for
 list_for_each_entry



On 27/07/21 3:00 am, Stefano Stabellini wrote:
> On Mon, 26 Jul 2021, asmadeus@...ewreck.org wrote:
>> Harshvardhan Jha wrote on Sun, Jul 25, 2021 at 11:21:03PM +0530:
>>> The list_for_each_entry() iterator, "priv" in this code, can never be
>>> NULL so the warning would never be printed.
>>
>> hm? priv won't be NULL but priv->client won't be client, so it will
>> return -EINVAL alright in practice?
>>
>> This does fix an invalid read after the list head, so there's a real
>> bug, but the commit message needs fixing.
> 
> Agreed
> 
> 
>>> Signed-off-by: Harshvardhan Jha <harshvardhan.jha@...cle.com>
>>> ---
>>>  From static analysis.  Not tested.
>>
>> +Stefano in To - I also can't test xen right now :/
>> This looks functional to me but if you have a bit of time to spare just
>> a mount test can't hurt.
> 
> Yes, I did test it successfully. Aside from the commit messaged to be
> reworded:
How's this?
===========================BEGIN========================================
9p/xen: Fix end of loop tests for list_for_each_entry

This patch addresses the following problems:
  - priv can never be NULL, so this part of the check is useless
  - if the loop ran through the whole list, priv->client is invalid and
it is more appropriate and sufficient to check for the end of
list_for_each_entry loop condition.

Signed-off-by: Harshvardhan Jha <harshvardhan.jha@...cle.com>
---
 From static analysis. Not tested.
===========================END==========================================
> 
> Reviewed-by: Stefano Stabellini <sstabellini@...nel.org>
> Tested-by: Stefano Stabellini <sstabellini@...nel.org>
> 
> 
>>> ---
>>>   net/9p/trans_xen.c | 4 ++--
>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
>>> index f4fea28e05da..3ec1a51a6944 100644
>>> --- a/net/9p/trans_xen.c
>>> +++ b/net/9p/trans_xen.c
>>> @@ -138,7 +138,7 @@ static bool p9_xen_write_todo(struct xen_9pfs_dataring *ring, RING_IDX size)
>>>   
>>>   static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
>>>   {
>>> -	struct xen_9pfs_front_priv *priv = NULL;
>>> +	struct xen_9pfs_front_priv *priv;
>>>   	RING_IDX cons, prod, masked_cons, masked_prod;
>>>   	unsigned long flags;
>>>   	u32 size = p9_req->tc.size;
>>> @@ -151,7 +151,7 @@ static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
>>>   			break;
>>>   	}
>>>   	read_unlock(&xen_9pfs_lock);
>>> -	if (!priv || priv->client != client)
>>> +	if (list_entry_is_head(priv, &xen_9pfs_devs, list))
>>>   		return -EINVAL;
>>>   
>>>   	num = p9_req->tc.tag % priv->num_rings;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ