Re: [PATCH] lib: idr: fix out-of-bounds pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lai Jiangshan <laijs@cn.fujitsu.com>
To: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Tejun Heo <tj@kernel.org>, <linux-kernel@vger.kernel.org>,
	<tetra2005@gmail.com>, <preobr@google.com>, <dvyukov@google.com>,
	<kcc@google.com>, <koct9i@gmail.com>
Subject: Re: [PATCH] lib: idr: fix out-of-bounds pointer dereference
Date: Tue, 24 Jun 2014 09:26:08 +0800	[thread overview]
Message-ID: <53A8D3B0.8090004@cn.fujitsu.com> (raw)
In-Reply-To: <1403530628-32306-1-git-send-email-a.ryabinin@samsung.com>

On 06/23/2014 09:37 PM, Andrey Ryabinin wrote:
> I'm working on address sanitizer project for kernel. Recently we started
> experiments with stack instrumentation, to detect out-of-bounds
> read/write bugs on stack.
> 
> Just after booting I've hit out-of-bounds read on stack in idr_for_each
> (and in __idr_remove_all as well):
> 
> 	struct idr_layer **paa = &pa[0];
> 
> 	while (id >= 0 && id <= max) {
> 		...
> 		while (n < fls(id)) {
> 			n += IDR_BITS;
> 			p = *--paa; <--- here we are reading pa[-1] value.
> 		}
> 	}

I prefer to moving the loop-exit-condition-checking code down:

	if (id < 0 || id > max)		/* only idr_get_next() needs this branch */
		return ...

	for (;;) {			/* move out from here */
		...
		increase the @id;
		if (id < 0 || id > max)	/* move to here */
			break;
		while (n < fls(id)) {
			...
		}
	}


> 
> Despite the fact that after this dereference we are exiting out of loop and
> never use p, such behaviour is undefined and should be avoided.
> 
> Fix this by moving pointer derference to the beggining of the loop, right
> before we will use it.
> 
> Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
> ---
>  lib/idr.c | 25 ++++++++++++++-----------
>  1 file changed, 14 insertions(+), 11 deletions(-)
> 
> diff --git a/lib/idr.c b/lib/idr.c
> index 39158ab..50be3fa 100644
> --- a/lib/idr.c
> +++ b/lib/idr.c
> @@ -590,26 +590,27 @@ static void __idr_remove_all(struct idr *idp)
>  	struct idr_layer **paa = &pa[0];
>  
>  	n = idp->layers * IDR_BITS;
> -	p = idp->top;
> +	*paa = idp->top;
>  	RCU_INIT_POINTER(idp->top, NULL);
>  	max = idr_max(idp->layers);
>  
>  	id = 0;
>  	while (id >= 0 && id <= max) {
> +		p = *paa;
>  		while (n > IDR_BITS && p) {
>  			n -= IDR_BITS;
> -			*paa++ = p;
>  			p = p->ary[(id >> n) & IDR_MASK];
> +			*++paa = p;
>  		}
>  
>  		bt_mask = id;
>  		id += 1 << n;
>  		/* Get the highest bit that the above add changed from 0->1. */
>  		while (n < fls(id ^ bt_mask)) {
> -			if (p)
> -				free_layer(idp, p);
> +			if (*paa)
> +				free_layer(idp, *paa);
>  			n += IDR_BITS;
> -			p = *--paa;
> +			--paa;
>  		}
>  	}
>  	idp->layers = 0;
> @@ -692,15 +693,16 @@ int idr_for_each(struct idr *idp,
>  	struct idr_layer **paa = &pa[0];
>  
>  	n = idp->layers * IDR_BITS;
> -	p = rcu_dereference_raw(idp->top);
> +	*paa = rcu_dereference_raw(idp->top);
>  	max = idr_max(idp->layers);
>  
>  	id = 0;
>  	while (id >= 0 && id <= max) {
> +		p = *paa;
>  		while (n > 0 && p) {
>  			n -= IDR_BITS;
> -			*paa++ = p;
>  			p = rcu_dereference_raw(p->ary[(id >> n) & IDR_MASK]);
> +			*++paa = p;
>  		}
>  
>  		if (p) {
> @@ -712,7 +714,7 @@ int idr_for_each(struct idr *idp,
>  		id += 1 << n;
>  		while (n < fls(id)) {
>  			n += IDR_BITS;
> -			p = *--paa;
> +			--paa;
>  		}
>  	}
>  
> @@ -740,17 +742,18 @@ void *idr_get_next(struct idr *idp, int *nextidp)
>  	int n, max;
>  
>  	/* find first ent */
> -	p = rcu_dereference_raw(idp->top);
> +	p = *paa = rcu_dereference_raw(idp->top);
>  	if (!p)
>  		return NULL;
>  	n = (p->layer + 1) * IDR_BITS;
>  	max = idr_max(p->layer + 1);
>  
>  	while (id >= 0 && id <= max) {
> +		p = *paa;
>  		while (n > 0 && p) {
>  			n -= IDR_BITS;
> -			*paa++ = p;
>  			p = rcu_dereference_raw(p->ary[(id >> n) & IDR_MASK]);
> +			*++paa = p;
>  		}
>  
>  		if (p) {
> @@ -768,7 +771,7 @@ void *idr_get_next(struct idr *idp, int *nextidp)
>  		id = round_up(id + 1, 1 << n);
>  		while (n < fls(id)) {
>  			n += IDR_BITS;
> -			p = *--paa;
> +			--paa;
>  		}
>  	}
>  	return NULL;

next prev parent reply	other threads:[~2014-06-24  1:25 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-23 13:37 [PATCH] lib: idr: fix out-of-bounds pointer dereference Andrey Ryabinin
2014-06-24  1:26 ` Lai Jiangshan [this message]
2014-06-24  5:48   ` Andrey Ryabinin
2014-06-24  7:48     ` Lai Jiangshan
2014-06-24  8:17       ` Andrey Ryabinin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53A8D3B0.8090004@cn.fujitsu.com \
    --to=laijs@cn.fujitsu.com \
    --cc=a.ryabinin@samsung.com \
    --cc=akpm@linux-foundation.org \
    --cc=dvyukov@google.com \
    --cc=kcc@google.com \
    --cc=koct9i@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=preobr@google.com \
    --cc=tetra2005@gmail.com \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.