Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751116AbdGNRyg (ORCPT ); Fri, 14 Jul 2017 13:54:36 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:38286 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750985AbdGNRye (ORCPT ); Fri, 14 Jul 2017 13:54:34 -0400 Date: Fri, 14 Jul 2017 10:54:31 -0700 (PDT) Message-Id: <20170714.105431.403659291323482633.davem@davemloft.net> To: glider@google.com Cc: dvyukov@google.com, kcc@google.com, edumazet@google.com, lucien.xin@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH v2] sctp: don't dereference ptr before leaving _sctp_walk_{params,errors}() From: David Miller In-Reply-To: References: <20170714.102312.821784668156442305.davem@davemloft.net> X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-7 X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 14 Jul 2017 10:54:34 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id v6EHsfEe030302 Content-Length: 1927 Lines: 42 From: Alexander Potapenko Date: Fri, 14 Jul 2017 19:33:54 +0200 > On Fri, Jul 14, 2017 at 7:23 PM, David Miller wrote: >> From: Alexander Potapenko >> Date: Fri, 14 Jul 2017 18:33:01 +0200 >> >>> On Fri, Jul 14, 2017 at 5:58 PM, David Miller wrote: >>>> From: Alexander Potapenko >>>> Date: Fri, 14 Jul 2017 12:03:29 +0200 >>>> >>>>> v2: per comment from David Miller, make sure the whole iterator->length >>>>> fits into the remaining buffer. >>>> >>>> Please compile and functionally test your changes: >>>> >>>> In file included from ./include/linux/compiler.h:58:0, >>>> from ./include/uapi/linux/stddef.h:1, >>>> from ./include/linux/stddef.h:4, >>>> from ./include/uapi/linux/posix_types.h:4, >>>> from ./include/uapi/linux/types.h:13, >>>> from ./include/linux/types.h:5, >>>> from net/sctp/sm_statefuns.c:48: >>>> net/sctp/sm_statefuns.c: In function ?sctp_sf_do_reconf?: >>>> ./include/net/sctp/sctp.h:472:24: error: unknown type name ?sctp_paramhdr_t? >>>> (pos.v + offsetof(sctp_paramhdr_t, length) + sizeof(pos.p->length) <\ >>>> ^ >>> Oops. Fixed. >> >> Did you functionally test the new version or just do a quick compile >> check and resubmit? > I've checked that the kernel still works, but unfortunately I couldn't > check whether or not this affected the uninit memory, as KMSAN > currently works on a fixed kernel revision. The compilation error was > actually caused by me failing to test the kernel when porting the fix > from that revision to upstream. > >> I really want you to test this if the logic has been changed. > Do you mean any specific tests in addition to, say, running the > reproducer on which the uninit use was reported? I mean the reproducer.