Re: arch/riscv/kernel/module.c:727 add_relocation_to_accumulate() error: dereferencing freed memory 'rel_head'

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Charlie Jenkins <charlie@rivosinc.com>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: oe-kbuild@lists.linux.dev, lkp@intel.com,
	oe-kbuild-all@lists.linux.dev, linux-kernel@vger.kernel.org,
	Palmer Dabbelt <palmer@rivosinc.com>
Subject: Re: arch/riscv/kernel/module.c:727 add_relocation_to_accumulate() error: dereferencing freed memory 'rel_head'
Date: Wed, 13 Dec 2023 11:29:29 -0800	[thread overview]
Message-ID: <ZXoGGcAFdbn+quq+@ghost> (raw)
In-Reply-To: <17fcf691-e184-4542-b095-bbb4084d031f@suswa.mountain>

On Wed, Dec 13, 2023 at 04:19:26PM +0300, Dan Carpenter wrote:
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head:   88035e5694a86a7167d490bb95e9df97a9bb162b
> commit: d8792a5734b0f3e58b898c2e2f910bfac48e9ee3 riscv: Safely remove entries from relocation list
> config: riscv-randconfig-r071-20231211 (https://download.01.org/0day-ci/archive/20231213/202312132019.iYGTwW0L-lkp@intel.com/config)
> compiler: riscv64-linux-gcc (GCC) 13.2.0
> reproduce: (https://download.01.org/0day-ci/archive/20231213/202312132019.iYGTwW0L-lkp@intel.com/reproduce)
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> | Closes: https://lore.kernel.org/r/202312132019.iYGTwW0L-lkp@intel.com/
> 
> New smatch warnings:
> arch/riscv/kernel/module.c:727 add_relocation_to_accumulate() error: dereferencing freed memory 'rel_head'
> arch/riscv/kernel/module.c:792 apply_relocate_add() warn: unsigned 'hashtable_bits' is never less than zero.
> 
> vim +/rel_head +727 arch/riscv/kernel/module.c
> 
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  717  		INIT_LIST_HEAD(rel_head->rel_entry);
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  718  		rel_head->location = location;
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  719  		INIT_HLIST_NODE(&rel_head->node);
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  720  		if (!current_head->first) {
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  721  			bucket =
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  722  				kmalloc(sizeof(struct used_bucket), GFP_KERNEL);
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  723  
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  724  			if (!bucket) {
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  725  				kfree(entry);
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  726  				kfree(rel_head);
> d8792a5734b0f3 Charlie Jenkins      2023-11-27 @727  				kfree(rel_head->rel_entry);
> 
> Swap these two frees to avoid a use after free.

Thanks for pointing this out.

> 
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  728  				return -ENOMEM;
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  729  			}
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  730  
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  731  			INIT_LIST_HEAD(&bucket->head);
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  732  			bucket->bucket = current_head;
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  733  			list_add(&bucket->head, used_buckets_list);
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  734  		}
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  735  		hlist_add_head(&rel_head->node, current_head);
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  736  	}
> 
> [ snip ]
> 
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  773  int apply_relocate_add(Elf_Shdr *sechdrs, const char *strtab,
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  774  		       unsigned int symindex, unsigned int relsec,
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  775  		       struct module *me)
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  776  {
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  777  	Elf_Rela *rel = (void *) sechdrs[relsec].sh_addr;
> 8cbe0accc4a6ba Emil Renner Berthing 2023-11-01  778  	int (*handler)(struct module *me, void *location, Elf_Addr v);
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  779  	Elf_Sym *sym;
> 8cbe0accc4a6ba Emil Renner Berthing 2023-11-01  780  	void *location;
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  781  	unsigned int i, type;
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  782  	Elf_Addr v;
> e2c0cdfba7f699 Palmer Dabbelt       2017-07-10  783  	int res;
> 8fd6c5142395a1 Charlie Jenkins      2023-11-01  784  	unsigned int num_relocations = sechdrs[relsec].sh_size / sizeof(*rel);
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  785  	struct hlist_head *relocation_hashtable;
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  786  	struct list_head used_buckets_list;
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  787  	unsigned int hashtable_bits;
>                                                         ^^^^^^^^
> 
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  788  
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  789  	hashtable_bits = initialize_relocation_hashtable(num_relocations,
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  790  							 &relocation_hashtable);
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  791  
> d8792a5734b0f3 Charlie Jenkins      2023-11-27 @792  	if (hashtable_bits < 0)
>                                                             ^^^^^^^^^^^^^^^^^^
> Can't be less than zero.

I am returning a negative number in an unsigned function, oops. Since
the only possible failure in the function is an out-of-memory error and
0 is not a valid return, I will return 0 in the out-of-memory case.

- Charlie

> 
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  793  		return hashtable_bits;
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  794  
> d8792a5734b0f3 Charlie Jenkins      2023-11-27  795  	INIT_LIST_HEAD(&used_buckets_list);
> 
> -- 
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>

next prev parent reply	other threads:[~2023-12-13 19:29 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-13 13:19 arch/riscv/kernel/module.c:727 add_relocation_to_accumulate() error: dereferencing freed memory 'rel_head' Dan Carpenter
2023-12-13 19:29 ` Charlie Jenkins [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-12-13 12:49 kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZXoGGcAFdbn+quq+@ghost \
    --to=charlie@rivosinc.com \
    --cc=dan.carpenter@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=oe-kbuild@lists.linux.dev \
    --cc=palmer@rivosinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.