From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
To: Christopher Li <sparse@chrisli.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Linux-Sparse <linux-sparse@vger.kernel.org>
Subject: Re: [PATCH] ptrlist: use after free in last_ptr_list()
Date: Sun, 6 Nov 2016 09:49:38 +0100 [thread overview]
Message-ID: <20161106084937.GA818@macpro.local> (raw)
In-Reply-To: <CANeU7QmO-7C+6JwxQDCaLotx0MZ=-HSgTc2thO8fSvxD5JR32Q@mail.gmail.com>
On Sat, Nov 05, 2016 at 08:30:31AM +0800, Christopher Li wrote:
> Those function originally all assume the list
> are packed.
>
> Is there usage case in current sparse that
> feed unpacked list to those function?
>
> Chris
The situation is not black & white.
There is two 'unsafe' cases. By 'unsafe' I mean that
DELETE_CURRENT_PTR() is used but without PACK_PTR_LIST()
and the end of the iteration like done elsewhere.
OTOH, I've added at the beginning of every ptr_list loops
some assert() that check if the ptr_list is packed or not
and none ever triggered, even when LIST_NODE_NR is changed
from 29 to 1 (to force list->nr == 0 at each delete).
Also, assertions doing bound checking on ptr_list::list[]
accesses never triggered.
So, to answer your question, it seems that in the current
sparse code we don't feed unpacked lists to the 'dangerous'
functions but for the two unsafe case you can't guarantee
thsi just by looking at the local code
(or it's just by chance).
I think that for the moment, it's best to simply add
PACK_PTR_LIST() at the end of the two unsafe cases
(patch will come later).
OTOH, I feel this whole situation is a bit fragile.
NOTE: for the moment, I've only checked all this with the
testsuite. I will recheck on more substantial amount of code
but this will need to wait a little bit.
Luc
next prev parent reply other threads:[~2016-11-06 8:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-13 9:45 [PATCH] ptrlist: use after free in last_ptr_list() Dan Carpenter
2016-11-02 12:48 ` Luc Van Oostenryck
2016-11-02 14:52 ` Christopher Li
2016-11-02 15:23 ` Luc Van Oostenryck
2016-11-04 10:44 ` Luc Van Oostenryck
2016-11-05 0:30 ` Christopher Li
2016-11-06 8:49 ` Luc Van Oostenryck [this message]
2016-11-07 10:00 ` Luc Van Oostenryck
2016-11-16 22:46 ` Christopher Li
2016-11-16 23:22 ` Luc Van Oostenryck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161106084937.GA818@macpro.local \
--to=luc.vanoostenryck@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-sparse@vger.kernel.org \
--cc=sparse@chrisli.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).