Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp963229rdb; Wed, 6 Dec 2023 05:13:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IFH+HGGRdD/10p+ZOTQMoNgSAHCWJjf8j8H2iKdIvR1es/NanbUufuQXFZW2lnsVLftnIvj X-Received: by 2002:a05:6a20:7f81:b0:18c:c37:35d4 with SMTP id d1-20020a056a207f8100b0018c0c3735d4mr898725pzj.14.1701868388815; Wed, 06 Dec 2023 05:13:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701868388; cv=none; d=google.com; s=arc-20160816; b=fCfydVXNGeVYnB5XmGUAl1RyfHA75ME2N3R/sSfSyWm2gkFVHkhR8RuNfsb/Oo1Ult RUCTcKI0AZeJ3cHwCtuDZX+ZUevolHh12catp1HilLEBih9eePZo5IQJLOzRaIZDia8W b5qL4tSLTVVMlGn/y2Pg0/rIxsEvcWUm+K8EZQ3YDbGYY3ie9mpfngK0mfwCOehP5lDw +p4Y0Fp0t3vEe0y7fqqADoUOTQXyPSZda1LYbNlcgPihLlvGUb1QvW5J0VnkzZOUVEz0 43UVE0VLP+qK9lIYzIZbjBcTwfwfsoPhg0vUzCtA290unpn8U3bYurP79LY8jd2Pm3tb mkLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=vxtmr3/Bwam30pObqH1YX57aCpkWmHrysVP1c64/fRo=; fh=oZH2VyqwWn+iJTsRgK1LJRCoinvnBAUum7mJf7uazLs=; b=JMCBv9jrEVGg0zzSYohFfBaeuFOYpEWTvg1GleKYveYTdpWwkkcMaSCNoFFCOQC5At i6bit3Fs29HmlClssu0vntfeiU9t6znkOvob2zRqL8mLv3STALeS/Srzha3CekgNLMtm Trd2Td1wxptuwymkYWQ7/yicdF4QeVnKX5T5DctHAEWxSrDNRb9LXl7zLF9Igf+JgKnj D+9ryWSYq4JUUcB0aPNHMVUok3dbUxTEBbwFxeq9qL8rEGdNGn6iED2mVZ2F41Gm2aje 0qxuNsxm4igJuxn7QHrAUVU5hio5B+sSfud19rsgRxIm1Mb7FzjIW3KlAUw/dZY/uxal 1dLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b=V1tRkFcX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id k13-20020a634b4d000000b005c1b28061b0si11468096pgl.65.2023.12.06.05.13.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 05:13:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b=V1tRkFcX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 782AD802A6E1; Wed, 6 Dec 2023 05:13:05 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378435AbjLFNMw (ORCPT + 99 others); Wed, 6 Dec 2023 08:12:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1378432AbjLFNMv (ORCPT ); Wed, 6 Dec 2023 08:12:51 -0500 Received: from kylie.crudebyte.com (kylie.crudebyte.com [5.189.157.229]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 008911A5; Wed, 6 Dec 2023 05:12:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Content-Type:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Content-ID:Content-Description; bh=vxtmr3/Bwam30pObqH1YX57aCpkWmHrysVP1c64/fRo=; b=V1tRkFcXtqHcFzkrirDzwuGS5g X53OZxy+/kYcGkilHA7nhcpH0OwF5wEKrM6Gud6EbyVfqYto9SNxUtxXl9aWuFKLMbXVz0/0/3VGm XwY1z5eu1HH+9GOUwBxDzQxG4Jcpxp3/vxi1z7cV8WqlvawLjFsJDVUe1sCRNxMyYj8hTLE5aUc4j irPuSPiKo/xZJLRwjvc18BRIxm1ZBik9Le9l6EFQQgIGQzkgU85H70Fz7OJHsJTPCDrJHSD4bbY7Z QpCUbO6dsVRUyeVvVXL9URvDP2D2GcXXOYWT/rmnoTi5+zrT89COJgAFNfRF3SZAU3rFPaPobBsXn m6nHfwABby6FbYLVc5bxW3LVXXKASP99v9qkWeIKvW0CxS7Og7aMmZJmKTkE35IHww86HqkibC2Nr aEheYq6uqS3gsunD4XdL/SydAt3J01K7N06/VMueWHbiGKpM/YTkEPbwEl29Pi9IPQYXaMF/Dphun Ca5goSHTTYhgwvfxhDkouc6ZX8rjWPFCcLW+v3m/xrUJ3CDEsWgdRhZkSGlBvtnROrpF3Q0Y2Jv6E ztbPYsOG0fXxTjMagx1EmWLzjAz12RX+mx0zZXBvVonoRbxXmycH5xqn44/MQZqrAaXSmGBzS9x3l vkfO4oEi0eEc2VULzzO7wDO66eUQLoYcFl0cmWHd8=; From: Christian Schoenebeck To: Dominique Martinet , Fedor Pchelkin Cc: Fedor Pchelkin , Eric Van Hensbergen , Latchesar Ionkov , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: Re: [PATCH v3] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Date: Wed, 06 Dec 2023 14:12:37 +0100 Message-ID: <10981267.HhOBSzzNiN@silver> In-Reply-To: <20231205180523.11318-1-pchelkin@ispras.ru> References: <20231205180523.11318-1-pchelkin@ispras.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 06 Dec 2023 05:13:05 -0800 (PST) On Tuesday, December 5, 2023 7:05:22 PM CET Fedor Pchelkin wrote: > If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails, > the error path is not handled properly. *wnames or members of *wnames > array may be left uninitialized and invalidly freed. > > In order not to complicate the code with array index processing, fix the > problem with initializing *wnames to NULL in beginning of case 'T' and > using kcalloc() to allocate and initialize the array. For assurance, > nullify the failing *wnames element (the callee handles that already - > e.g. see 's' case). > > Found by Linux Verification Center (linuxtesting.org). > > Fixes: ace51c4dd2f9 ("9p: add new protocol support code") > Signed-off-by: Fedor Pchelkin > --- > v2: I've missed that *wnames can also be left uninitialized. Please > ignore the patch v1. As an answer to Dominique's comment: my > organization marks this statement in all commits. > v3: Simplify the patch by using kcalloc() instead of array indices > manipulation per Christian Schoenebeck's remark. Update the commit > message accordingly. > > net/9p/protocol.c | 15 +++++++++------ > 1 file changed, 9 insertions(+), 6 deletions(-) > > diff --git a/net/9p/protocol.c b/net/9p/protocol.c > index 4e3a2a1ffcb3..7067fb49d713 100644 > --- a/net/9p/protocol.c > +++ b/net/9p/protocol.c > @@ -394,13 +394,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, > uint16_t *nwname = va_arg(ap, uint16_t *); > char ***wnames = va_arg(ap, char ***); > > + *wnames = NULL; > + > errcode = p9pdu_readf(pdu, proto_version, > "w", nwname); > if (!errcode) { > *wnames = > - kmalloc_array(*nwname, > - sizeof(char *), > - GFP_NOFS); > + kcalloc(*nwname, sizeof(char *), > + GFP_NOFS); Context of this code is transmitting directory entries, e.g. thousands of array elements. So this would always introduce performance costs. The error cases this patch addresses should happen rather rarely BTW. Another option (instead of clearing the entire array) would be just setting the last entry in the array to NULL, and the loop freeing the elements would stop at the first NULL entry. That way you don't have to worry about carrying `i` along and `i` being correctly intitalized. Would require array size +1 though. In general I agree that this code section calls out to be simplified, but I doubt that clearing the entire array is the best way to go here. > if (!*wnames) > errcode = -ENOMEM; > } > @@ -414,8 +415,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, > proto_version, > "s", > &(*wnames)[i]); > - if (errcode) > + if (errcode) { > + (*wnames)[i] = NULL; > break; > + } > } > } > > @@ -425,9 +428,9 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, > > for (i = 0; i < *nwname; i++) > kfree((*wnames)[i]); > + kfree(*wnames); > + *wnames = NULL; > } > - kfree(*wnames); > - *wnames = NULL; > } > } > break; >