Bug 44621 - Missing NULL check of the return value of nla_reserve() in function cgroupstats_user_cmd() ?
Summary: Missing NULL check of the return value of nla_reserve() in function cgroupsta...
Status: RESOLVED CODE_FIX
Alias: None
Product: Process Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Alan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-13 01:41 UTC by RUC_Soft_Sec
Modified: 2012-08-15 21:50 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.39
Tree: Mainline
Regression: No


Attachments

Description RUC_Soft_Sec 2012-07-13 01:41:59 UTC
Function nal_reserve() will return NULL if the tailroom of skb is insufficient, so the return value shall be checked against NULL before used. But in function cgroupstats_user_cmd(), the return value of nla_reserve()(called at kernel/taskstats.c:430) is used without NULL check.
The related codes are as following.
cgroupstats_user_cmd @@kernel/taskstats.c:430
 430        na = nla_reserve(rep_skb, CGROUPSTATS_TYPE_CGROUP_STATS,
 431                                sizeof(struct cgroupstats));
 432        stats = nla_data(na);
 433        memset(stats, 0, sizeof(*stats));

Generally, the return value of nla_reserve() is checked against NULL. For example, in function mk_reply() in the same file with cgroupstats_user_cmd().
mk_reply @@kernel/taskstats.c:393
 393        ret = nla_reserve(skb, TASKSTATS_TYPE_STATS, sizeof(struct taskstats));
 394        if (!ret)
 395                goto err;
 396        nla_nest_end(skb, na);
 397
 398        return nla_data(ret);


Thank you

RUC_Soft_Sec
Comment 1 Florian Mickler 2012-08-04 19:09:52 UTC
A patch referencing this bug report has been merged in Linux v3.6-rc1:

commit 25353b3377d5a75d4b830477bb90a3691155de72
Author: Alan Cox <alan@linux.intel.com>
Date:   Mon Jul 30 14:42:49 2012 -0700

    taskstats: check nla_reserve() return

Note You need to log in before you can comment on or make changes to this bug.