| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z69MESaQ4cUvIy4z@mev-dev.igk.intel.com>
Date: Fri, 14 Feb 2025 14:58:41 +0100
From: Michal Swiatkowski <michal.swiatkowski@...ux.intel.com>
To: Andrew Lunn <andrew@...n.ch>
Cc: Michal Swiatkowski <michal.swiatkowski@...ux.intel.com>,
netdev@...r.kernel.org, jiri@...nulli.us, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
horms@...nel.org, pierre@...ckhpc.com,
Dan Carpenter <error27@...il.com>
Subject: Re: [net v1] devlink: fix xa_alloc_cyclic error handling
On Fri, Feb 14, 2025 at 02:44:49PM +0100, Andrew Lunn wrote:
> On Fri, Feb 14, 2025 at 02:24:53PM +0100, Michal Swiatkowski wrote:
> > Pierre Riteau <pierre@...ckhpc.com> found suspicious handling an error
> > from xa_alloc_cyclic() in scheduler code [1]. The same is done in
> > devlink_rel_alloc().
>
> If the same bug exists twice it might exist more times. Did you find
> this instance by searching the whole tree? Or just networking?
>
> This is also something which would be good to have the static
> analysers check for. I wounder if smatch can check this?
>
> Andrew
>
You are right, I checked only net folder and there are two usage like
that in drivers. I will send v2 with wider fixing, thanks.
It can be not so easy to check. What if someone want to treat wrapping
as an error (don't know if it is valid)? If one of the caller is
checking err < 0 it will be fine.
Thanks,
Michal
> >
> > In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will
> > be returned, which will cause IS_ERR() to be false. Which can lead to
> > dereference not allocated pointer (rel).
> >
> > Fix it by checking if err is lower than zero.
> >
> > This wasn't found in real usecase, only noticed. Credit to Pierre.
> >
> > Signed-off-by: Michal Swiatkowski <michal.swiatkowski@...ux.intel.com>
> > ---
> > net/devlink/core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/devlink/core.c b/net/devlink/core.c
> > index f49cd83f1955..7203c39532fc 100644
> > --- a/net/devlink/core.c
> > +++ b/net/devlink/core.c
> > @@ -117,7 +117,7 @@ static struct devlink_rel *devlink_rel_alloc(void)
> >
> > err = xa_alloc_cyclic(&devlink_rels, &rel->index, rel,
> > xa_limit_32b, &next, GFP_KERNEL);
> > - if (err) {
> > + if (err < 0) {
> > kfree(rel);
> > return ERR_PTR(err);
> > }
> > --
> > 2.42.0
> >
> >
Powered by blists - more mailing lists