On 02/22/2016 05:37 PM, David Howells wrote:
> Jerome Marchand <jmarchan@redhat.com> wrote:
> 
>> In assoc_array_insert_into_terminal_node(), we call the
>> compare_object() method on all empty slots,

Sorry, this is a typo. It should be "on all non-empty slots".

> 
> Ummm...  That shouldn't happen - the:
> 
> 		if (!ptr) {
> 			free_slot = i;
> 			continue;
> 		}
> 
> preceding the line you modified should cause the comparison to be skipped on a
> slot if it's empty.
> 
>> even when they're not leaves, passing a pointer to an unexpected structure
>> to compare_object().
> 
> Do you instead mean a metadata pointer rather than an empty slot?

Yes. In the cases I debugged, it was a node, but I guess we could
encounter a shortcut here too.

> 
>> Currently it causes an out-of-bound read access in keyring_compare_object
>> detected by KASan.  The issue is easily reproduced with keyutils testsuite.
> 
> I don't see it.  Did you modify the testsuite, or is it a matter of running it
> often enough?

Do you have KASan enabled? In my experience, the reproduction is
systematic on some test (e.g. keyctl/unlink/all). AFAIK, the testsuite
isn't modify (it's from Red Hat test infrastructure).

> 
> Also, can you include the oops output you get in the patch description,
> please?

Sure.

> 
> That said, I can see that there is probably an issue that your patch fixes -
> but it's not quite the one you describe (see above).

Does the description sounds correct if you add the missing negation?

Jerome
> 
> David
>