Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754745AbdGNRd6 (ORCPT <rfc822;w@1wt.eu>);
        Fri, 14 Jul 2017 13:33:58 -0400
Received: from mail-ua0-f173.google.com ([209.85.217.173]:36108 "EHLO
        mail-ua0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754670AbdGNRd4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Jul 2017 13:33:56 -0400
MIME-Version: 1.0
In-Reply-To: <20170714.102312.821784668156442305.davem@davemloft.net>
References: <20170714100329.105604-1-glider@google.com> <20170714.085832.929093611392872988.davem@davemloft.net>
 <CAG_fn=UU5wT5GuFd6=br2WycHZ+JF6SWTS7=HhNLzDTiDMi-=g@mail.gmail.com> <20170714.102312.821784668156442305.davem@davemloft.net>
From: Alexander Potapenko <glider@google.com>
Date: Fri, 14 Jul 2017 19:33:54 +0200
Message-ID: <CAG_fn=XtmFsygwP=o5_pS1fHXUamAy=bib-7DZvX1n9P4MwCgQ@mail.gmail.com>
Subject: Re: [PATCH v2] sctp: don't dereference ptr before leaving _sctp_walk_{params,errors}()
To: David Miller <davem@davemloft.net>
Cc: Dmitriy Vyukov <dvyukov@google.com>,
        Kostya Serebryany <kcc@google.com>, Eric Dumazet <edumazet@google.com>,
        lucien xin <lucien.xin@gmail.com>, LKML <linux-kernel@vger.kernel.org>,
        Networking <netdev@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v6EHY3p8026873
Content-Length: 2036
Lines: 52

On Fri, Jul 14, 2017 at 7:23 PM, David Miller <davem@davemloft.net> wrote:
> From: Alexander Potapenko <glider@google.com>
> Date: Fri, 14 Jul 2017 18:33:01 +0200
>
>> On Fri, Jul 14, 2017 at 5:58 PM, David Miller <davem@davemloft.net> wrote:
>>> From: Alexander Potapenko <glider@google.com>
>>> Date: Fri, 14 Jul 2017 12:03:29 +0200
>>>
>>>>  v2: per comment from David Miller, make sure the whole iterator->length
>>>>      fits into the remaining buffer.
>>>
>>> Please compile and functionally test your changes:
>>>
>>> In file included from ./include/linux/compiler.h:58:0,
>>>                  from ./include/uapi/linux/stddef.h:1,
>>>                  from ./include/linux/stddef.h:4,
>>>                  from ./include/uapi/linux/posix_types.h:4,
>>>                  from ./include/uapi/linux/types.h:13,
>>>                  from ./include/linux/types.h:5,
>>>                  from net/sctp/sm_statefuns.c:48:
>>> net/sctp/sm_statefuns.c: In function ‘sctp_sf_do_reconf’:
>>> ./include/net/sctp/sctp.h:472:24: error: unknown type name ‘sctp_paramhdr_t’
>>>       (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\
>>>                         ^
>> Oops. Fixed.
>
> Did you functionally test the new version or just do a quick compile
> check and resubmit?
I've checked that the kernel still works, but unfortunately I couldn't
check whether or not this affected the uninit memory, as KMSAN
currently works on a fixed kernel revision. The compilation error was
actually caused by me failing to test the kernel when porting the fix
from that revision to upstream.

> I really want you to test this if the logic has been changed.
Do you mean any specific tests in addition to, say, running the
reproducer on which the uninit use was reported?

Thanks


-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg