On 02/22/2016 05:37 PM, David Howells wrote: > Jerome Marchand <[email protected]> wrote: > >> In assoc_array_insert_into_terminal_node(), we call the >> compare_object() method on all empty slots,
Sorry, this is a typo. It should be "on all non-empty slots".
>
> Ummm... That shouldn't happen - the:
>
> if (!ptr) {
> free_slot = i;
> continue;
> }
>
> preceding the line you modified should cause the comparison to be skipped on a
> slot if it's empty.
>
>> even when they're not leaves, passing a pointer to an unexpected structure
>> to compare_object().
>
> Do you instead mean a metadata pointer rather than an empty slot?
Yes. In the cases I debugged, it was a node, but I guess we could
encounter a shortcut here too.
>
>> Currently it causes an out-of-bound read access in keyring_compare_object
>> detected by KASan. The issue is easily reproduced with keyutils testsuite.
>
> I don't see it. Did you modify the testsuite, or is it a matter of running it
> often enough?
Do you have KASan enabled? In my experience, the reproduction is
systematic on some test (e.g. keyctl/unlink/all). AFAIK, the testsuite
isn't modify (it's from Red Hat test infrastructure).
>
> Also, can you include the oops output you get in the patch description,
> please?
Sure.
>
> That said, I can see that there is probably an issue that your patch fixes -
> but it's not quite the one you describe (see above).
Does the description sounds correct if you add the missing negation?
Jerome
>
> David
>
signature.asc
Description: OpenPGP digital signature
