From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
To: Christopher Li <sparse@chrisli.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Linux-Sparse <linux-sparse@vger.kernel.org>
Subject: Re: [PATCH] ptrlist: use after free in last_ptr_list()
Date: Thu, 17 Nov 2016 00:22:55 +0100 [thread overview]
Message-ID: <20161116232254.GA21402@macpro.local> (raw)
In-Reply-To: <CANeU7QnyiJi3qGF9Wvz1BK6wUrEBehb94gc2JbsFkF=-d=NFVQ@mail.gmail.com>
On Thu, Nov 17, 2016 at 06:46:44AM +0800, Christopher Li wrote:
> On Mon, Nov 7, 2016 at 6:00 PM, Luc Van Oostenryck
> <luc.vanoostenryck@gmail.com> wrote:
> > OK, I've checked this on a more substantial amount of code
> > than the testsuite: the kernel for x86-64 with allyesconfig
> > and I confirm that there is not a single out-of-bounds access
> > to any ->list[], wich is what matters.
> >
> > Nevertheless, there are two cases (in cse.c and evaluate.c)
> > where elements are deleted from a list which is not directly
> > repacked at the end of the loop and it's not obvious in the code
> > why it's OK to not repack them.
>
> Thanks for the extensive testing. As for the repacking, I think its
> better to repack the list to after the delete of the entry. However,
> we don't want to repack the list if there is not deletion at all.
>
> How about this, we can introduce a bit field on "struct ptr_list" to
> keep track of the list needs repack or not. On deletion the ptr_list will
> be dirty. The other function which assuming the packed list will
> check the dirty bit and complain if list is not packed.
>
> We can even make keep the "struct ptr_list" the same size.
> Just squeeze some bits from "int nr". However, that will break the
> binary interface of sparse as a library. The application link with
> sparse will need to be recompiled.
>
> Chris
> --
Sound good.
I'll look at this, probably tomorrow.
Luc
prev parent reply other threads:[~2016-11-16 23:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-13 9:45 [PATCH] ptrlist: use after free in last_ptr_list() Dan Carpenter
2016-11-02 12:48 ` Luc Van Oostenryck
2016-11-02 14:52 ` Christopher Li
2016-11-02 15:23 ` Luc Van Oostenryck
2016-11-04 10:44 ` Luc Van Oostenryck
2016-11-05 0:30 ` Christopher Li
2016-11-06 8:49 ` Luc Van Oostenryck
2016-11-07 10:00 ` Luc Van Oostenryck
2016-11-16 22:46 ` Christopher Li
2016-11-16 23:22 ` Luc Van Oostenryck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161116232254.GA21402@macpro.local \
--to=luc.vanoostenryck@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-sparse@vger.kernel.org \
--cc=sparse@chrisli.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.