Re: net/if.c: nullptr deref in if_hooks_run
On Tue, 10 Mar 2020 10:25:56 +1000, David Gwynne wrote: > how about this? this has the cursor handling move the traversal and > NULL check back to the for loop instead of looping on its own. Much better. OK millert@ - todd
Re: net/if.c: nullptr deref in if_hooks_run
On Mon, Mar 09, 2020 at 11:56:09PM +0100, Klemens Nanni wrote: > On Mon, Mar 09, 2020 at 10:33:17PM +0100, Tobias Heider wrote: > > there seems to be a nullptr dereference in if_hooks_run. > Did your kernel crash here or did you find reading alone? > > > When the inner while loop is exited because 't == NULL' the next > > line is an access to 't->t_func'. > Yes, reads obviously wrong. :'( > > Because 't==NULL' means the TAILQ is fully traversed I think we > > should break and exit instead. > Make sense, OK kn how about this? this has the cursor handling move the traversal and NULL check back to the for loop instead of looping on its own. Index: if.c === RCS file: /cvs/src/sys/net/if.c,v retrieving revision 1.600 diff -u -p -r1.600 if.c --- if.c24 Jan 2020 05:14:51 - 1.600 +++ if.c10 Mar 2020 00:24:00 - @@ -1050,10 +1050,9 @@ if_hooks_run(struct task_list *hooks) mtx_enter(&if_hooks_mtx); for (t = TAILQ_FIRST(hooks); t != NULL; t = nt) { - while (t->t_func == NULL) { /* skip cursors */ - t = TAILQ_NEXT(t, t_entry); - if (t == NULL) - break; + if (t->t_func == NULL) { /* skip cursors */ + nt = TAILQ_NEXT(t, t_entry); + continue; } func = t->t_func; arg = t->t_arg;
Re: net/if.c: nullptr deref in if_hooks_run
On Mon, Mar 09, 2020 at 11:56:09PM +0100, Klemens Nanni wrote: > On Mon, Mar 09, 2020 at 10:33:17PM +0100, Tobias Heider wrote: > > there seems to be a nullptr dereference in if_hooks_run. > Did your kernel crash here or did you find reading alone? Coverity Scan found it > > When the inner while loop is exited because 't == NULL' the next > > line is an access to 't->t_func'. > Yes, reads obviously wrong. > > > Because 't==NULL' means the TAILQ is fully traversed I think we > > should break and exit instead. > Make sense, OK kn >
Re: net/if.c: nullptr deref in if_hooks_run
On Mon, Mar 09, 2020 at 10:33:17PM +0100, Tobias Heider wrote: > there seems to be a nullptr dereference in if_hooks_run. Did your kernel crash here or did you find reading alone? > When the inner while loop is exited because 't == NULL' the next > line is an access to 't->t_func'. Yes, reads obviously wrong. > Because 't==NULL' means the TAILQ is fully traversed I think we > should break and exit instead. Make sense, OK kn
net/if.c: nullptr deref in if_hooks_run
Hi, there seems to be a nullptr dereference in if_hooks_run. When the inner while loop is exited because 't == NULL' the next line is an access to 't->t_func'. Because 't==NULL' means the TAILQ is fully traversed I think we should break and exit instead. ok? Index: if.c === RCS file: /mount/openbsd/cvs/src/sys/net/if.c,v retrieving revision 1.600 diff -u -p -r1.600 if.c --- if.c24 Jan 2020 05:14:51 - 1.600 +++ if.c9 Mar 2020 21:25:06 - @@ -1055,6 +1055,8 @@ if_hooks_run(struct task_list *hooks) if (t == NULL) break; } + if (t == NULL) + break; func = t->t_func; arg = t->t_arg;