| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Dec 2023 13:29:49 +0100
From: Christian Schoenebeck <linux_oss@...debyte.com>
To: Dominique Martinet <asmadeus@...ewreck.org>,
Fedor Pchelkin <pchelkin@...ras.ru>
Cc: Fedor Pchelkin <pchelkin@...ras.ru>, Latchesar Ionkov <lucho@...kov.net>,
Eric Van Hensbergen <ericvh@...nel.org>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
v9fs@...ts.linux.dev, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>, lvc-project@...uxtesting.org
Subject: Re: [PATCH v2] net: 9p: avoid freeing uninit memory in p9pdu_vreadf
On Tuesday, December 5, 2023 10:19:50 AM CET Fedor Pchelkin wrote:
> If an error occurs while processing an array of strings in p9pdu_vreadf
> then uninitialized members of *wnames array are freed.
>
> Fix this by iterating over only lower indices of the array. Also handle
> possible uninit *wnames usage if first p9pdu_readf() call inside 'T' case
> fails.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: ace51c4dd2f9 ("9p: add new protocol support code")
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
> ---
> v2: I've missed that *wnames can also be left uninitialized. Please
> ignore the patch v1. As an answer to Dominique's comment: my
> organization marks this statement in all commits.
>
> net/9p/protocol.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
>
> diff --git a/net/9p/protocol.c b/net/9p/protocol.c
> index 4e3a2a1ffcb3..043b621f8b84 100644
> --- a/net/9p/protocol.c
> +++ b/net/9p/protocol.c
> @@ -393,6 +393,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> case 'T':{
> uint16_t *nwname = va_arg(ap, uint16_t *);
> char ***wnames = va_arg(ap, char ***);
> + int i;
> + *wnames = NULL;
Consider also initializing `int i = 0;` here. Because ...
>
> errcode = p9pdu_readf(pdu, proto_version,
> "w", nwname);
> @@ -406,8 +408,6 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> }
>
> if (!errcode) {
> - int i;
> -
> for (i = 0; i < *nwname; i++) {
... this block that initializes `i` is conditional. I mean it does work right
now as-is, because ...
> errcode =
> p9pdu_readf(pdu,
> @@ -421,13 +421,11 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
>
> if (errcode) {
> if (*wnames) {
> - int i;
> -
> - for (i = 0; i < *nwname; i++)
> + while (--i >= 0)
> kfree((*wnames)[i]);
> + kfree(*wnames);
> + *wnames = NULL;
> }
... this is wrapped into `if (*wnames) {` and you initialized *wnames with
NULL, but it just feels like a potential future trap somehow.
Anyway, at least it looks like correct behaviour (ATM), so:
Reviewed-by: Christian Schoenebeck <linux_oss@...debyte.com>
> - kfree(*wnames);
> - *wnames = NULL;
> }
> }
> break;
>
Powered by blists - more mailing lists