2013-09-10 10:37:57

by vaughan

[permalink] [raw]
Subject: [PATCH] block: register_blkdev doesn't check name against NULL

register_blkdev(0, NULL) can result kernel Oops by copying from NULL
in strlcpy(). Fix it by checking NULL pointer at the beginning.

Signed-off-by: Vaughan Cao <[email protected]>
---
block/genhd.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index dadf42b..9564f19 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -287,6 +287,9 @@ int register_blkdev(unsigned int major, const char *name)
struct blk_major_name **n, *p;
int index, ret = 0;

+ if (!name)
+ return -EINVAL;
+
mutex_lock(&block_class_lock);

/* temporary */
--
1.8.3.1


2013-09-11 02:21:42

by vaughan

[permalink] [raw]
Subject: [PATCH v2] block: register_blkdev doesn't check name against NULL

register_blkdev(0, NULL) can result kernel Oops by copying from NULL
in strlcpy(). Fix it by checking NULL pointer at the beginning and
WARN when encountered in unregister_blkdev.

Signed-off-by: Vaughan Cao <[email protected]>
---
block/genhd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index dadf42b..cca13e9 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -287,6 +287,9 @@ int register_blkdev(unsigned int major, const char *name)
struct blk_major_name **n, *p;
int index, ret = 0;

+ if (!name)
+ return -EINVAL;
+
mutex_lock(&block_class_lock);

/* temporary */
@@ -348,7 +351,7 @@ void unregister_blkdev(unsigned int major, const char *name)
for (n = &major_names[index]; *n; n = &(*n)->next)
if ((*n)->major == major)
break;
- if (!*n || strcmp((*n)->name, name)) {
+ if (!*n || !name || strcmp((*n)->name, name)) {
WARN_ON(1);
} else {
p = *n;
--
1.8.3.1

2013-09-23 14:56:33

by Jeff Moyer

[permalink] [raw]
Subject: Re: [PATCH v2] block: register_blkdev doesn't check name against NULL

Vaughan Cao <[email protected]> writes:

> register_blkdev(0, NULL) can result kernel Oops by copying from NULL
> in strlcpy(). Fix it by checking NULL pointer at the beginning and
> WARN when encountered in unregister_blkdev.

Uhh, so yeah, this is an exported function, so I could see maybe wanting
to do the argument checking. But honestly, if your driver can't even
get this right, is there any hope of it actually working?

This seems like a pointless patch to me, but ultimately it's up to Jens.

Cheers,
Jeff

p.s. the kerneldoc tells you what to put there:
* @name: the name of the new block device as a zero terminated string

2013-09-29 06:52:45

by vaughan

[permalink] [raw]
Subject: Re: [PATCH v2] block: register_blkdev doesn't check name against NULL

On 09/23/2013 10:56 PM, Jeff Moyer wrote:
> Vaughan Cao <[email protected]> writes:
>
>> register_blkdev(0, NULL) can result kernel Oops by copying from NULL
>> in strlcpy(). Fix it by checking NULL pointer at the beginning and
>> WARN when encountered in unregister_blkdev.
> Uhh, so yeah, this is an exported function, so I could see maybe wanting
> to do the argument checking. But honestly, if your driver can't even
> get this right, is there any hope of it actually working?
>
> This seems like a pointless patch to me, but ultimately it's up to Jens.
>
> Cheers,
> Jeff
>
> p.s. the kerneldoc tells you what to put there:
> * @name: the name of the new block device as a zero terminated string
Thanks for your comment, Jeff. I have the same feeling as you, however,
shouldn't kernel do its best to provide the maximum stable working ability?
And it's test case 7 of block driver in ltp project -
http://sourceforge.net/p/ltp/git/ci/master/tree/testcases/kernel/device-drivers/block/kernel_space/test_block.c.
It seems their attitude is we should check this.

Vaughan

2013-09-30 02:20:40

by Chai Wen

[permalink] [raw]
Subject: Re: [PATCH v2] block: register_blkdev doesn't check name against NULL

On 09/29/2013 02:55 PM, vaughan wrote:
> On 09/23/2013 10:56 PM, Jeff Moyer wrote:
>> Vaughan Cao<[email protected]> writes:
>>
>>> register_blkdev(0, NULL) can result kernel Oops by copying from NULL
>>> in strlcpy(). Fix it by checking NULL pointer at the beginning and
>>> WARN when encountered in unregister_blkdev.
>> Uhh, so yeah, this is an exported function, so I could see maybe wanting
>> to do the argument checking. But honestly, if your driver can't even
>> get this right, is there any hope of it actually working?
>>
>> This seems like a pointless patch to me, but ultimately it's up to Jens.
>>
>> Cheers,
>> Jeff
>>
>> p.s. the kerneldoc tells you what to put there:
>> * @name: the name of the new block device as a zero terminated string
> Thanks for your comment, Jeff. I have the same feeling as you, however,
> shouldn't kernel do its best to provide the maximum stable working ability?
> And it's test case 7 of block driver in ltp project -
> http://sourceforge.net/p/ltp/git/ci/master/tree/testcases/kernel/device-drivers/block/kernel_space/test_block.c.
> It seems their attitude is we should check this.
I checked most of the callers of this function in current code tree.
Indeed, mostly they pass a static string as a parameter.
As jeff has said if a driver wants to get things right, it should able to
give right parameters.
But as an acknowledge of kernel code protocol, I have a query/question of
the similar situation. if a function is a public one and called rather
commonly.
In what cases should we have a parameter checking in it?
I think if the parameter is a rather obvious one that even a look at it
in the caller telling OK or not.
These parameters may not need checking.

thanks
chai wen
>
> Vaughan
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>