Re: [PATCH 1/1] cr: uts: don't pass an unsigned var as a signed int

Linux Container Development
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Nathan Lynch <ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
Cc: Linux Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>
Subject: Re: [PATCH 1/1] cr: uts: don't pass an unsigned var as a signed int
Date: Sun, 21 Jun 2009 08:53:23 -0500	[thread overview]
Message-ID: <20090621135323.GA1731@hallyn.com> (raw)
In-Reply-To: <m34ouaf942.fsf-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>

Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:
> 
> > Quoting Nathan Lynch (ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org):
> >> "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes:
> >> 
> >> > Else my checkpoing image gets reeeaallly huge.  Just passing the
> >> > result of sizeof() however does the right thing.
> >> >
> >> > Signed-off-by: Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> >> > ---
> >> >  checkpoint/namespace.c |   12 ++++++------
> >> >  1 files changed, 6 insertions(+), 6 deletions(-)
> >> 
> >> But right above the code you're changing we have:
> >> 
> >> 	h->sysname_len = sizeof(name->sysname);
> >> 	h->nodename_len = sizeof(name->nodename);
> >> 	h->release_len = sizeof(name->release);
> >> 	h->version_len = sizeof(name->version);
> >> 	h->machine_len = sizeof(name->machine);
> >> 	h->domainname_len = sizeof(name->domainname);
> >> 
> >> Your patch shouldn't change any behavior.  What gives?
> >
> > "Shouldn't", perhaps, but does.
> 
> 
> Revisiting do_checkpoint_uts_ns, I think it's a case of use after free:
> 
> 	h = ckpt_hdr_get_type(ctx, sizeof(*h), CKPT_HDR_UTS_NS);
> 	if (!h)
> 		return -ENOMEM;
> 
> 	h->sysname_len = sizeof(name->sysname);
> 	h->nodename_len = sizeof(name->nodename);
> 	h->release_len = sizeof(name->release);
> 	h->version_len = sizeof(name->version);
> 	h->machine_len = sizeof(name->machine);
> 	h->domainname_len = sizeof(name->domainname);
> 
> 	ret = ckpt_write_obj(ctx, &h->h);
> 	ckpt_hdr_put(ctx, h);
> 	if (ret < 0)
> 		return ret;
> 
> 	down_read(&uts_sem);
> 	ret = ckpt_write_string(ctx, name->sysname, h->sysname_len);
> 
> We're continuing to use h's memory after it has been released by
> ckpt_hdr_put.  Seems plausible that the poison values written by sl*b
> debug would cause the len argument to be ridiculously large.

Haha.  Can't believe I didn't see that!

Thanks.

-serge

next prev parent reply	other threads:[~2009-06-21 13:53 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-19 20:37 [PATCH 1/1] cr: uts: don't pass an unsigned var as a signed int Serge E. Hallyn
     [not found] ` <20090619203719.GA30093-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-06-20  4:27   ` Nathan Lynch
     [not found]     ` <m3prczfs2m.fsf-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
2009-06-21  0:18       ` Serge E. Hallyn
     [not found]         ` <20090621001837.GA32394-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2009-06-21  5:29           ` Nathan Lynch
     [not found]             ` <m34ouaf942.fsf-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
2009-06-21 13:53               ` Serge E. Hallyn [this message]
2009-06-21 19:13               ` Serge E. Hallyn
     [not found]                 ` <20090621191305.GA2499-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2009-06-22  4:13                   ` Nathan Lynch
     [not found]                     ` <m3fxdsc3dm.fsf-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org>
2009-06-24 17:07                       ` Oren Laadan
2009-06-23 11:41                   ` Cedric Le Goater
     [not found]                     ` <4A40BF4F.9080704-GANU6spQydw@public.gmane.org>
2009-06-23 13:05                       ` Serge E. Hallyn
2009-06-22 23:20   ` Nathan Lynch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090621135323.GA1731@hallyn.com \
    --to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
    --cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
    --cc=ntl-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox