From: Christian Schoenebeck <linux_oss@crudebyte.com>
To: Dominique Martinet <asmadeus@codewreck.org>,
Fedor Pchelkin <pchelkin@ispras.ru>
Cc: Fedor Pchelkin <pchelkin@ispras.ru>,
Eric Van Hensbergen <ericvh@kernel.org>,
Latchesar Ionkov <lucho@ionkov.net>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
v9fs@lists.linux.dev, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
lvc-project@linuxtesting.org
Subject: Re: [PATCH v4] net: 9p: avoid freeing uninit memory in p9pdu_vreadf
Date: Thu, 07 Dec 2023 13:54:02 +0100 [thread overview]
Message-ID: <1808202.Umia7laAZq@silver> (raw)
In-Reply-To: <20231206200913.16135-1-pchelkin@ispras.ru>
On Wednesday, December 6, 2023 9:09:13 PM CET Fedor Pchelkin wrote:
> If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
> the error path is not handled properly. *wnames or members of *wnames
> array may be left uninitialized and invalidly freed.
>
> Initialize *wnames to NULL in beginning of case 'T'. Initialize the first
> *wnames array element to NULL and nullify the failing *wnames element so
> that the error path freeing loop stops on the first NULL element and
> doesn't proceed further.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: ace51c4dd2f9 ("9p: add new protocol support code")
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> ---
> v2: I've missed that *wnames can also be left uninitialized. Please
> ignore the patch v1. As an answer to Dominique's comment: my
> organization marks this statement in all commits.
> v3: Simplify the patch by using kcalloc() instead of array indices
> manipulation per Christian Schoenebeck's remark. Update the commit
> message accordingly.
> v4: Per Christian's suggestion, apply another strategy: mark failing
> array element as NULL and move in the freeing loop until it is found.
> Update the commit message accordingly. If v4 is more appropriate than the
> version at
> https://github.com/martinetd/linux/commit/69cc23eb3a0b79538e9b5face200c4cd5cd32ae0
> then please use it, otherwise, I don't think we can provide more
> convenient solution here than the one already queued at github.
>
> net/9p/protocol.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>
> diff --git a/net/9p/protocol.c b/net/9p/protocol.c
> index 4e3a2a1ffcb3..0e6603b1ec90 100644
> --- a/net/9p/protocol.c
> +++ b/net/9p/protocol.c
> @@ -394,6 +394,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> uint16_t *nwname = va_arg(ap, uint16_t *);
> char ***wnames = va_arg(ap, char ***);
>
> + *wnames = NULL;
> +
> errcode = p9pdu_readf(pdu, proto_version,
> "w", nwname);
> if (!errcode) {
> @@ -403,6 +405,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> GFP_NOFS);
> if (!*wnames)
> errcode = -ENOMEM;
> + else
> + (*wnames)[0] = NULL;
> }
>
> if (!errcode) {
> @@ -414,8 +418,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> proto_version,
> "s",
> &(*wnames)[i]);
> - if (errcode)
> + if (errcode) {
> + (*wnames)[i] = NULL;
> break;
> + }
I just checked whether this could create a leak, but it looks clean, so LGTM:
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Dominique, I would tend to use this v4 instead of v2. What do you think?
> }
> }
>
> @@ -423,11 +429,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
> if (*wnames) {
> int i;
>
> - for (i = 0; i < *nwname; i++)
> + for (i = 0; i < *nwname; i++) {
> + if (!(*wnames)[i])
> + break;
> kfree((*wnames)[i]);
> + }
> + kfree(*wnames);
> + *wnames = NULL;
> }
> - kfree(*wnames);
> - *wnames = NULL;
> }
> }
> break;
>
next prev parent reply other threads:[~2023-12-07 12:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 8:05 [PATCH] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Fedor Pchelkin
2023-12-05 9:07 ` Dominique Martinet
2023-12-05 9:19 ` [PATCH v2] " Fedor Pchelkin
2023-12-05 9:31 ` Dominique Martinet
2023-12-05 12:15 ` Fedor Pchelkin
2023-12-05 12:43 ` Dominique Martinet
2023-12-05 12:29 ` Christian Schoenebeck
2023-12-05 13:09 ` Fedor Pchelkin
2023-12-05 18:05 ` [PATCH v3] " Fedor Pchelkin
2023-12-06 13:12 ` Christian Schoenebeck
2023-12-06 20:09 ` [PATCH v4] " Fedor Pchelkin
2023-12-07 12:54 ` Christian Schoenebeck [this message]
2023-12-11 23:21 ` Dominique Martinet
2024-01-07 7:56 ` Vitaly Chikunov
2024-01-07 9:48 ` Fedor Pchelkin
2024-01-07 10:14 ` Vitaly Chikunov
2024-01-07 10:26 ` Dominique Martinet
2023-12-11 13:51 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1808202.Umia7laAZq@silver \
--to=linux_oss@crudebyte.com \
--cc=asmadeus@codewreck.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ericvh@kernel.org \
--cc=khoroshilov@ispras.ru \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucho@ionkov.net \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pchelkin@ispras.ru \
--cc=v9fs@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.