Re: [PATCH v3] char: tty3270: fix a missing check on list iterator

From: Jiri Slaby
Date: Tue Mar 29 2022 - 02:07:27 EST

Next message: Qianggui Song: "[PATCH] pinctrl: meson: fix unused variable warning"
Previous message: Jamie Bainbridge: "[PATCH net] sctp: count singleton chunks in assoc user stats"
In reply to: Xiaomeng Tong: "Re: [PATCH v3] char: tty3270: fix a missing check on list iterator"
Next in thread: Xiaomeng Tong: "[PATCH v3] char: tty3270: fix a missing check on list iterator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 28. 03. 22, 12:27, Xiaomeng Tong wrote:

On Mon, 28 Mar 2022 12:09:59 +0200, Jiri Slaby wrote:

On 28. 03. 22, 11:35, Xiaomeng Tong wrote:

The bug is here:
if (s->len != flen) {

The list iterator 's' will point to a bogus position containing
HEAD if the list is empty or no element is found.

Could you also explain how that can happen?

When list_for_each_entry_* do not early exits (if the list is empty
or no break/goto/return hit inside the loop), it will set pos ('s' here)
with a bogus pointer that point to a invalid struct computed based
on &HEAD using container_of.

#define list_for_each_entry(pos, head, member) \
for (pos = list_first_entry(head, typeof(*pos), member); \
!list_entry_is_head(pos, head, member); \
pos = list_next_entry(pos, member))

No, I didn't mean what happens on that site on the code level. I think everyone understands that. Instead, I meant: what circumstances lead to this _situation_ in reality?

thanks,
--
js
suse labs

Next message: Qianggui Song: "[PATCH] pinctrl: meson: fix unused variable warning"
Previous message: Jamie Bainbridge: "[PATCH net] sctp: count singleton chunks in assoc user stats"
In reply to: Xiaomeng Tong: "Re: [PATCH v3] char: tty3270: fix a missing check on list iterator"
Next in thread: Xiaomeng Tong: "[PATCH v3] char: tty3270: fix a missing check on list iterator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]