Bug 44621

Summary: Missing NULL check of the return value of nla_reserve() in function cgroupstats_user_cmd() ?
Product: Process Management Reporter: RUC_Soft_Sec (rucsoftsec)
Component: OtherAssignee: Alan (alan)
Status: RESOLVED CODE_FIX    
Severity: normal CC: alan, florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.39 Tree: Mainline
Regression: No

Description RUC_Soft_Sec 2012-07-13 01:41:59 UTC
Function nal_reserve() will return NULL if the tailroom of skb is insufficient, so the return value shall be checked against NULL before used. But in function cgroupstats_user_cmd(), the return value of nla_reserve()(called at kernel/taskstats.c:430) is used without NULL check.
The related codes are as following.
cgroupstats_user_cmd @@kernel/taskstats.c:430
 430        na = nla_reserve(rep_skb, CGROUPSTATS_TYPE_CGROUP_STATS,
 431                                sizeof(struct cgroupstats));
 432        stats = nla_data(na);
 433        memset(stats, 0, sizeof(*stats));

Generally, the return value of nla_reserve() is checked against NULL. For example, in function mk_reply() in the same file with cgroupstats_user_cmd().
mk_reply @@kernel/taskstats.c:393
 393        ret = nla_reserve(skb, TASKSTATS_TYPE_STATS, sizeof(struct taskstats));
 394        if (!ret)
 395                goto err;
 396        nla_nest_end(skb, na);
 397
 398        return nla_data(ret);


Thank you

RUC_Soft_Sec
Comment 1 Florian Mickler 2012-08-04 19:09:52 UTC
A patch referencing this bug report has been merged in Linux v3.6-rc1:

commit 25353b3377d5a75d4b830477bb90a3691155de72
Author: Alan Cox <alan@linux.intel.com>
Date:   Mon Jul 30 14:42:49 2012 -0700

    taskstats: check nla_reserve() return