来自 kzalloc 的 memset 中的 Linux 内核空指针取消引用
[英]Linux kernel NULL-pointer dereference in memset from kzalloc
问题描述
Quite by chance stumbled upon some code in kernel jungles and was a bit confused.
很偶然地在内核丛林中偶然发现了一些代码并且有点困惑。 There are two implementations of kzalloc() : in tools/virtio/linux/kernel.h and the main one in linux/slab.h . kzalloc()有两种实现:在tools/virtio/linux/kernel.h和主要的在linux/slab.h 。 Obviously, in most cases the second one is used.显然,在大多数情况下,使用第二个。 But sometimes the "virtio" kzalloc() is used.但有时会使用“virtio” kzalloc() 。
"virtio" kzalloc() looks like this: "virtio" kzalloc()看起来像这样:
static inline void *kzalloc(size_t s, gfp_t gfp)
{
void *p = kmalloc(s, gfp);
memset(p, 0, s);
return p;
}
My confusion is that "fake" kmalloc() used inside "tools" directory can return NULL-pointer.我的困惑是在“工具”目录中使用的“假” kmalloc()可以返回 NULL 指针。 Also it looks like the memset() implementation doesn't check NULL-pointers so there could be NULL-pointer dereference.此外,看起来memset()实现不检查 NULL 指针,因此可能存在 NULL 指针取消引用。 Is it a bug or am I missing something?这是一个错误还是我错过了什么?
2 个解决方案
解决方案1
3 2020-01-17 12:53:58
The header is mainly used for userspace testing, such as virtio_test . header 主要用于用户空间测试,例如virtio_test 。
From the git-log of tools/virtio/virtio_test.c :从tools/virtio/virtio_test.c的 git-log :
This is the userspace part of the tool: it includes a bunch of stubs for linux APIs, somewhat simular to linuxsched.
A small test example is implemented combining this with vhost_test module.
So yes, the code is a bit unsafe (clean coding would test for a NULL pointer prior to memset() and bail out with an appropriate error message), but since it is just a testing tool, it seems to have been considered uncritical to skip this test.所以是的,代码有点不安全(干净的编码会在memset()之前测试一个NULL指针并用适当的错误消息退出),但由于它只是一个测试工具,它似乎被认为是不重要的跳过这个测试。
解决方案2
3 已采纳 2020-01-17 12:58:48
Yes, that definitely looks like a bug.是的,这绝对看起来像一个错误。
The tools/ subdirectory is a collection of user space tools (as the name suggests). tools/子目录是用户空间工具的集合(顾名思义)。 You can also see this by the fact that several C standard library headers are included.您还可以通过包含多个 C 标准库头文件这一事实来看到这一点。 So this of course is not a kernel bug (that would have been very bad), just a minor oversight in the virtio testing tool.所以这当然不是内核错误(那会很糟糕),只是virtio测试工具中的一个小疏忽。
That virtio testing tool seems to re-define some kernel APIs to mock their behavior in userspace.那个virtio测试工具似乎重新定义了一些内核 API 来模拟它们在用户空间中的行为。 That function though doesn't seem to be ever used in practice, just merely defined.该函数似乎从未在实践中使用过,只是定义了。
marco:~/git/linux/tools/virtio$ grep -r kzalloc
linux/kernel.h:static inline void *kzalloc(size_t s, gfp_t gfp)
ringtest/ptr_ring.c:static inline void *kzalloc(unsigned size, gfp_t flags)
marco:~/git/linux/tools/virtio$
It's probably meant to be used by someone who wishes to test some virtio kernel code in userspace.它可能旨在供希望在用户空间中测试某些 virtio 内核代码的人使用。
In any case, you could try reporting the bug .在任何情况下,您都可以尝试报告错误。 The get_mantainer.pl script suggests: get_mantainer.pl脚本建议:
$ perl scripts/get_maintainer.pl -f tools/virtio/linux/kernel.h
Bad divisor in main::vcs_assign: 0
"Michael S. Tsirkin" <mst@redhat.com> (maintainer:VIRTIO CORE AND NET DRIVERS)
Jason Wang <jasowang@redhat.com> (maintainer:VIRTIO CORE AND NET DRIVERS)
virtualization@lists.linux-foundation.org (open list:VIRTIO CORE AND NET DRIVERS)
linux-kernel@vger.kernel.org (open list)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.