From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
To: Christopher Li <sparse@chrisli.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Linux-Sparse <linux-sparse@vger.kernel.org>
Subject: Re: [PATCH] ptrlist: use after free in last_ptr_list()
Date: Wed, 2 Nov 2016 16:23:10 +0100 [thread overview]
Message-ID: <20161102152309.GA13632@macpro.local> (raw)
In-Reply-To: <CANeU7Qk=Ta+QumF8BhSES9jTLDx+cdvvS8hfMQXg+B2H3Vfc-g@mail.gmail.com>
On Wed, Nov 02, 2016 at 10:52:35PM +0800, Christopher Li wrote:
> On Wed, Nov 2, 2016 at 8:48 PM, Luc Van Oostenryck
> <luc.vanoostenryck@gmail.com> wrote:
> >> + while (list->nr == 0)
> >> + list = list->prev;
>
> Yes, it can deed loop here when the whole list is empty.
>
> > FOR_EACH_PTR_REVERSE(list, ptr) {
> > DELETE_CURRENT_PTR(ptr);
> > last = last_ptr_list((struct ptr_list *)list);
> > } END_FOR_EACH_PTR_REVERSE(ptr);
> > }
> > loops forever on a list with 1 element with your patch.
> > Without your patch, last_ptr_list() return an invalid pointer instead of NULL.
> >
>
> I can see what is going on now. The while loop should
> check for the list->prev has been loop back to the tail of
> the list.
>
> Some thing like this should fix it, I haven't test it at all.
>
> list = tail = list->prev;
> while (list->nr == 0) {
> list = list->prev;
> if (list == tail)
> return NULL;
> }
>
> Chris
> --
Yes, something like this should do, indeed.
But by looking at the code, I think that 'first_ptr_list()'
is also not immunised against the same problem.
Also these two functions first_ & last_ptr_list() were
trivial ones but now they maybe become a bit too heavy to be inlined?
Or, maybe we should create a 'safe' version of those two, not inlined,
and which do the correct list walking?
Or maybe we need to have a macro like LAST_PTR() which do everything needed,
like DELETE_CURRENT_PTR() do?
I would vote for the safe version.
Luc
next prev parent reply other threads:[~2016-11-02 15:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-13 9:45 [PATCH] ptrlist: use after free in last_ptr_list() Dan Carpenter
2016-11-02 12:48 ` Luc Van Oostenryck
2016-11-02 14:52 ` Christopher Li
2016-11-02 15:23 ` Luc Van Oostenryck [this message]
2016-11-04 10:44 ` Luc Van Oostenryck
2016-11-05 0:30 ` Christopher Li
2016-11-06 8:49 ` Luc Van Oostenryck
2016-11-07 10:00 ` Luc Van Oostenryck
2016-11-16 22:46 ` Christopher Li
2016-11-16 23:22 ` Luc Van Oostenryck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161102152309.GA13632@macpro.local \
--to=luc.vanoostenryck@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-sparse@vger.kernel.org \
--cc=sparse@chrisli.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.