| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 06 Dec 2023 14:12:37 +0100
From: Christian Schoenebeck <linux_oss@...debyte.com>
To: Dominique Martinet <asmadeus@...ewreck.org>,
Fedor Pchelkin <pchelkin@...ras.ru>
Cc: Fedor Pchelkin <pchelkin@...ras.ru>,
Eric Van Hensbergen <ericvh@...nel.org>, Latchesar Ionkov <lucho@...kov.net>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
v9fs@...ts.linux.dev, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>, lvc-project@...uxtesting.org
Subject: Re: [PATCH v3] net: 9p: avoid freeing uninit memory in p9pdu_vreadf
On Tuesday, December 5, 2023 7:05:22 PM CET Fedor Pchelkin wrote:
> If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
> the error path is not handled properly. *wnames or members of *wnames
> array may be left uninitialized and invalidly freed.
>
> In order not to complicate the code with array index processing, fix the
> problem with initializing *wnames to NULL in beginning of case 'T' and
> using kcalloc() to allocate and initialize the array. For assurance,
> nullify the failing *wnames element (the callee handles that already -
> e.g. see 's' case).
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: ace51c4dd2f9 ("9p: add new protocol support code")
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
> ---
> v2: I've missed that *wnames can also be left uninitialized. Please
> ignore the patch v1. As an answer to Dominique's comment: my
> organization marks this statement in all commits.
> v3: Simplify the patch by using kcalloc() instead of array indices
> manipulation per Christian Schoenebeck's remark. Update the commit
> message accordingly.
>
> net/9p/protocol.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/net/9p/protocol.c b/net/9p/protocol.c
> index 4e3a2a1ffcb3..7067fb49d713 100644
> --- a/net/9p/protocol.c
> +++ b/net/9p/protocol.c
> @@ -394,13 +394,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> uint16_t *nwname = va_arg(ap, uint16_t *);
> char ***wnames = va_arg(ap, char ***);
>
> + *wnames = NULL;
> +
> errcode = p9pdu_readf(pdu, proto_version,
> "w", nwname);
> if (!errcode) {
> *wnames =
> - kmalloc_array(*nwname,
> - sizeof(char *),
> - GFP_NOFS);
> + kcalloc(*nwname, sizeof(char *),
> + GFP_NOFS);
Context of this code is transmitting directory entries, e.g. thousands of
array elements. So this would always introduce performance costs. The error
cases this patch addresses should happen rather rarely BTW.
Another option (instead of clearing the entire array) would be just setting
the last entry in the array to NULL, and the loop freeing the elements would
stop at the first NULL entry. That way you don't have to worry about carrying
`i` along and `i` being correctly intitalized. Would require array size +1
though.
In general I agree that this code section calls out to be simplified, but I
doubt that clearing the entire array is the best way to go here.
> if (!*wnames)
> errcode = -ENOMEM;
> }
> @@ -414,8 +415,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> proto_version,
> "s",
> &(*wnames)[i]);
> - if (errcode)
> + if (errcode) {
> + (*wnames)[i] = NULL;
> break;
> + }
> }
> }
>
> @@ -425,9 +428,9 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
>
> for (i = 0; i < *nwname; i++)
> kfree((*wnames)[i]);
> + kfree(*wnames);
> + *wnames = NULL;
> }
> - kfree(*wnames);
> - *wnames = NULL;
> }
> }
> break;
>
Powered by blists - more mailing lists