lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 28 Sep 2022 14:57:07 +0200
From:   Christian Schoenebeck <linux_oss@...debyte.com>
To:     asmadeus@...ewreck.org, Leon Romanovsky <leon@...nel.org>
Cc:     syzbot <syzbot+67d13108d855f451cafc@...kaller.appspotmail.com>,
        davem@...emloft.net, edumazet@...gle.com, ericvh@...il.com,
        kuba@...nel.org, linux-kernel@...r.kernel.org, lucho@...kov.net,
        netdev@...r.kernel.org, pabeni@...hat.com,
        syzkaller-bugs@...glegroups.com,
        v9fs-developer@...ts.sourceforge.net
Subject: Re: [syzbot] KASAN: use-after-free Read in rdma_close

On Mittwoch, 28. September 2022 13:54:03 CEST Leon Romanovsky wrote:
> On Wed, Sep 28, 2022 at 08:23:14PM +0900, asmadeus@...ewreck.org wrote:
> > Leon Romanovsky wrote on Wed, Sep 28, 2022 at 01:49:19PM +0300:
> > > > But I agree I did get that wrong: trans_mod->close() wasn't called if
> > > > create failed.
> > > > We do want the idr_for_each_entry() that is in p9_client_destroy so
> > > > rather than revert the commit (fix a bug, create a new one..) I'd
> > > > rather
> > > > split it out in an internal function that takes a 'bool close' or
> > > > something to not duplicate the rest.
> > > > (Bit of a nitpick, sure)
> > > 
> > > Please do proper unwind without extra variable.
> > > 
> > > Proper unwind means that you will call to symmetrical functions in
> > > destroy as you used in create:
> > > alloc -> free
> > > create -> close
> > > e.t.c
> > > 
> > > When you use some global function like you did, there is huge chance
> > > to see unwind bugs.
> > 
> > No.
> 
> Let's agree to disagree.
> 
> > Duplicating complicated cleanup code leads to leaks like we used to
> > have; that destroy function already frees up things in the right order.
> 
> It is pretty straightforward code, nothing complex there.
> 
> Just pause for a minute, and ask yourself how totally random guy who
> looked on this syzbot bug just because RDMA name in it, found the issue
> so quickly.
> 
> I will give a hint, I saw not symmetrical error unwind in call trace.

OK, maybe it's just me, but ask yourself Leon, if you were the only guy left 
(i.e. Dominique) still actively taking care for 9p, would those exactly be 
motivating phrases for your efforts? Just saying.

>From technical perspective, yes, destruction in reverse order is usually the 
better way to go. Whether I would carve that in stone, without any exception, 
probably not.

Best regards,
Christian Schoenebeck

Powered by blists - more mailing lists