Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp1227722rdb; Wed, 6 Dec 2023 12:09:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IFHllkbEJOF0b7PM2cLczrkjuFtBllS5xLOMae+qT3g3U9PxBS67/DX7lAhrlTw97ClbpK8 X-Received: by 2002:a05:6a21:999a:b0:187:a455:2758 with SMTP id ve26-20020a056a21999a00b00187a4552758mr1853404pzb.30.1701893396860; Wed, 06 Dec 2023 12:09:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701893396; cv=none; d=google.com; s=arc-20160816; b=Gi7rlbN5iWUeN6PqWibMy2UmB/AOn3LTiV8teymYC4azezt9tdzVhC01NH31hEnp9j Tq2EtcSU7Y4MDE+GZcvFGL8cK4MI2TmeeQ7s6gI+/UMRzUsvVQPUSUvyyCwMq2pBhxi7 6sp1R9GL0CbduDpTNuKtth+ag0jx+nALpeXb00trwQ9rgLoL1BTH4Fpq6nrzaKPg+55q HZE34Uw0QpfP1AeT2u+af/80R7yVD8gQtbs/Y5z8kLy2SvtZYEfhXc9YbGG0JB/Xb028 215Wi4T6IWXJ78nzszNpkhxgruopGsVkXfiSGMOqzXJ+hv9Ue0DMcwOXxHLjuyk2gctn ygzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=c3U7NlHX7ms/NKOXt6QI/vyo4/wqXOpsspJ9q0DqZV8=; fh=3k+xC597KPrZ7L/txKSNFvLbP3F/IHy3zhudyQFnLTI=; b=Kn9pUKBpo2s7dgkuz1ok+GwsjWg/LcJaVKNS4/D4cAt+paTwuW/SeLu37Sx85ZS8gj PyGbTxojz+MDvtAQXkS6lkBgQIA/DURRXzRH6IRlGE0jbsKyOJk5PY9ZhAzTkc3xGzf4 cPdHVkntkjk/j6HMzY7aDRuwLbnc7R4aY3u4HJk3sTV6En58As83gZqB6OJbsYeehkjJ uPiZtG3YkiuGq5SMPHUCRy/q6rzoB5tLvDCRGyoNomhZd9qx7QdnV7fOziqCeqeNVlcl oKqNlNnHLI/JVtkKLheUyNaew9M9wGXmSmyIFzYAX8c0Kqb9rEgkcaALOxONK9OauwBZ vMtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=Dkc0FpIo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id fa19-20020a056a002d1300b006cddfbc6095si458866pfb.26.2023.12.06.12.09.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Dec 2023 12:09:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=Dkc0FpIo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id ECEA181CCDA8; Wed, 6 Dec 2023 12:09:53 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1442870AbjLFUJc (ORCPT + 99 others); Wed, 6 Dec 2023 15:09:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1442850AbjLFUJb (ORCPT ); Wed, 6 Dec 2023 15:09:31 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3D7718D; Wed, 6 Dec 2023 12:09:35 -0800 (PST) Received: from localhost.ispras.ru (unknown [10.10.165.5]) by mail.ispras.ru (Postfix) with ESMTPSA id EE2E540F1DDC; Wed, 6 Dec 2023 20:09:31 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru EE2E540F1DDC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1701893372; bh=c3U7NlHX7ms/NKOXt6QI/vyo4/wqXOpsspJ9q0DqZV8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Dkc0FpIoSUrJWebyTaDD+QfyhNW3e5ZMH7xdQN2r6+1XxXqKyspx1owYEVT3YJ09z Anm7Vc4LVNIOwJdgvc6cBRnvWkSqn7Sv0reu8keyrCkaaPhfyYoSgi2QNNl2gv1W3w vzMp8vC4cdJw7vAnsedMnPNV3lUu6kbpKS0ITja8= From: Fedor Pchelkin To: Dominique Martinet , Christian Schoenebeck Cc: Fedor Pchelkin , Eric Van Hensbergen , Latchesar Ionkov , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: [PATCH v4] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Date: Wed, 6 Dec 2023 23:09:13 +0300 Message-ID: <20231206200913.16135-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.43.0 In-Reply-To: <10981267.HhOBSzzNiN@silver> References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 06 Dec 2023 12:09:54 -0800 (PST) If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails, the error path is not handled properly. *wnames or members of *wnames array may be left uninitialized and invalidly freed. Initialize *wnames to NULL in beginning of case 'T'. Initialize the first *wnames array element to NULL and nullify the failing *wnames element so that the error path freeing loop stops on the first NULL element and doesn't proceed further. Found by Linux Verification Center (linuxtesting.org). Fixes: ace51c4dd2f9 ("9p: add new protocol support code") Signed-off-by: Fedor Pchelkin --- v2: I've missed that *wnames can also be left uninitialized. Please ignore the patch v1. As an answer to Dominique's comment: my organization marks this statement in all commits. v3: Simplify the patch by using kcalloc() instead of array indices manipulation per Christian Schoenebeck's remark. Update the commit message accordingly. v4: Per Christian's suggestion, apply another strategy: mark failing array element as NULL and move in the freeing loop until it is found. Update the commit message accordingly. If v4 is more appropriate than the version at https://github.com/martinetd/linux/commit/69cc23eb3a0b79538e9b5face200c4cd5cd32ae0 then please use it, otherwise, I don't think we can provide more convenient solution here than the one already queued at github. net/9p/protocol.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/net/9p/protocol.c b/net/9p/protocol.c index 4e3a2a1ffcb3..0e6603b1ec90 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -394,6 +394,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, uint16_t *nwname = va_arg(ap, uint16_t *); char ***wnames = va_arg(ap, char ***); + *wnames = NULL; + errcode = p9pdu_readf(pdu, proto_version, "w", nwname); if (!errcode) { @@ -403,6 +405,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, GFP_NOFS); if (!*wnames) errcode = -ENOMEM; + else + (*wnames)[0] = NULL; } if (!errcode) { @@ -414,8 +418,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, proto_version, "s", &(*wnames)[i]); - if (errcode) + if (errcode) { + (*wnames)[i] = NULL; break; + } } } @@ -423,11 +429,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, if (*wnames) { int i; - for (i = 0; i < *nwname; i++) + for (i = 0; i < *nwname; i++) { + if (!(*wnames)[i]) + break; kfree((*wnames)[i]); + } + kfree(*wnames); + *wnames = NULL; } - kfree(*wnames); - *wnames = NULL; } } break; -- 2.43.0