Re: [PATCH] mm: fix potential invalid pointer dereference in kmemdup()

From: David Hildenbrand
Date: Tue Mar 07 2023 - 05:05:46 EST

Next message: Alexandre Mergnat: "[PATCH v4] dt-bindings: display: mediatek: clean unnecessary item"
Previous message: Naresh Kamboju: "ftrace_regression01: qemu-i386: EIP: vm_area_free: Kernel panic - not syncing: Fatal exception in interrupt"
In reply to: Xujun Leng: "[PATCH] mm: fix potential invalid pointer dereference in kmemdup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07.03.23 10:03, Xujun Leng wrote:

If kmemdup() was called with src == NULL, then memcpy() source address
is fatal, and if kmemdup() was called with len == 0, kmalloc_track_caller()
will return ZERO_SIZE_PTR to variable p, then memcpy() destination address
is fatal. Both 2 cases will cause an invalid pointer dereference.

"fix" in subject implies that there is actually a case broken. Is there, or is this rather a "sanitize" ?

Signed-off-by: Xujun Leng <lengxujun2007@xxxxxxx>
---
mm/util.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/mm/util.c b/mm/util.c
index dd12b9531ac4..d1a3b3d2988e 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -128,6 +128,9 @@ void *kmemdup(const void *src, size_t len, gfp_t gfp)
{
void *p;
+ if (!src || len == 0)
+ return NULL;
+
p = kmalloc_track_caller(len, gfp);
if (p)
memcpy(p, src, len);

Why should we take care of kmemdup(), but not memdup_user() ? Shouldn't it suffer from similar problems?

--
Thanks,

David / dhildenb

Next message: Alexandre Mergnat: "[PATCH v4] dt-bindings: display: mediatek: clean unnecessary item"
Previous message: Naresh Kamboju: "ftrace_regression01: qemu-i386: EIP: vm_area_free: Kernel panic - not syncing: Fatal exception in interrupt"
In reply to: Xujun Leng: "[PATCH] mm: fix potential invalid pointer dereference in kmemdup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]