search for: uninit

We don't mark dirty pages if the map was teared down outside MMU notifier. This will lead untracked dirty pages. Fixing by marking dirty pages during map uninit. Reported-by: Michael S. Tsirkin <mst at redhat.com> Fixes: 7f466032dc9e ("vhost: access vq metadata through kernel virtual address") Signed-off-by: Jason Wang <jasowang at redhat.com> --- drivers/vhost/vhost.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6...

On 2019/7/23 ??5:17, Michael S. Tsirkin wrote: > On Tue, Jul 23, 2019 at 03:57:17AM -0400, Jason Wang wrote: >> We don't mark dirty pages if the map was teared down outside MMU >> notifier. This will lead untracked dirty pages. Fixing by marking >> dirty pages during map uninit. >> >> Reported-by: Michael S. Tsirkin<mst at redhat.com> >> Fixes: 7f466032dc9e ("vhost: access vq metadata through kernel virtual address") >> Signed-off-by: Jason Wang<jasowang at redhat.com> >> --- >> drivers/vhost/vhost.c | 22 +++++++...

On Tue, Jul 23, 2019 at 03:57:17AM -0400, Jason Wang wrote: > We don't mark dirty pages if the map was teared down outside MMU > notifier. This will lead untracked dirty pages. Fixing by marking > dirty pages during map uninit. > > Reported-by: Michael S. Tsirkin <mst at redhat.com> > Fixes: 7f466032dc9e ("vhost: access vq metadata through kernel virtual address") > Signed-off-by: Jason Wang <jasowang at redhat.com> > --- > drivers/vhost/vhost.c | 22 ++++++++++++++++------ >...

On Tue, Jul 23, 2019 at 03:57:17AM -0400, Jason Wang wrote: > We don't mark dirty pages if the map was teared down outside MMU > notifier. This will lead untracked dirty pages. Fixing by marking > dirty pages during map uninit. > > Reported-by: Michael S. Tsirkin <mst at redhat.com> > Fixes: 7f466032dc9e ("vhost: access vq metadata through kernel virtual address") > Signed-off-by: Jason Wang <jasowang at redhat.com> > --- > drivers/vhost/vhost.c | 22 ++++++++++++++++------ >...

#syz test: https://github.com/google/kmsan.git master Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct

On Thu, Jun 07, 2018 at 06:38:48PM +0300, Michael S. Tsirkin wrote: > #syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 > > Subject: vhost: fix info leak > > Fixes: CVE-2018-1118 > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > --- > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index

...struct is used without > a sensible initialization, it will crash elsewhere. > I prefer KASAN to catch such uses. > > > > > node->vq = vq; > > > node->msg.type = type; IDGI - what would your variant catch that kzalloc + 2 assignments won't? Accesses to uninitialized ->node? Because that's the only difference in what is and is not initialized between those variants...

...the Inventory Service running in RHEL 6? My Puppet Nodes are getting the following error: > [root@puppetnode-01 ~]# puppetd --debug --verbose --no-daemonize > ... > err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Could not autoload inventory_active_record: uninitialized constant > ActiveRecord > ... Here''s the gems I have installed: > [root@puppetmaster ~]# gem list > *** LOCAL GEMS *** > activemodel (3.0.11) > activerecord (3.0.11) > activesupport (3.0.11) > arel (2.0.10) > builder (2.1.2) > daemon_controller (1.0...

On Thu, Jun 07, 2018 at 06:43:55PM +0100, Al Viro wrote: > On Thu, Jun 07, 2018 at 06:38:48PM +0300, Michael S. Tsirkin wrote: > > #syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 > > > > Subject: vhost: fix info leak > > > > Fixes: CVE-2018-1118 > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

On Thu, Jun 07, 2018 at 06:43:55PM +0100, Al Viro wrote: > On Thu, Jun 07, 2018 at 06:38:48PM +0300, Michael S. Tsirkin wrote: > > #syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 > > > > Subject: vhost: fix info leak > > > > Fixes: CVE-2018-1118 > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

#syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct

#syz test: https://github.com/google/kmsan.git/master d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct

When using optional arguments of type OStringList, the code free'ing the member in the optargs_s struct corresponding to that optional argument would just check for a non-PyNone PyObject for that argument. If before that optional argument there are other arguments which can cause an earlier error return from that binding function, the free'ing code will then act on garbage values. Enhance

Fuzzing with afl found a bug where a 27 byte client sequence can cause nbdkit to report a strange error message: $ printf %s $'000\1IHAVEOPT000\6'$'000\7'$'000\1x00' | tr 0 '\0' | ./nbdkit -s memory size=1m >/dev/null nbdkit: memory: error: client exceeded maximum number of options (32) The culprit? The client is hanging up on a message boundary, so

...tiveRecord::Migration def self.up create_table :cost_codes do |t| t.column :job, :integer t.column :code, :integer t.column :description, :string end end def self.down drop_table :cost_codes end end This is the migration that fails with an error of ''uninitalized constant cost_code'' Anyone know what I am doing wrong? 004 class AddCodeCodeData < ActiveRecord::Migration def self.up Costcode.create( :job => ''0'', :code => ''5001'', :description => ''Other adminis...

...> >> Jason Wang (9): >> vhost: don't set uaddr for invalid address >> vhost: validate MMU notifier registration >> vhost: fix vhost map leak >> vhost: reset invalidate_count in vhost_set_vring_num_addr() >> vhost: mark dirty pages during map uninit >> vhost: don't do synchronize_rcu() in vhost_uninit_vq_maps() >> vhost: do not use RCU to synchronize MMU notifier with worker >> vhost: correctly set dirty pages in MMU notifiers callback >> vhost: do not return -EAGAIN for non blocking invalidation too ear...

...> >> Jason Wang (9): >> vhost: don't set uaddr for invalid address >> vhost: validate MMU notifier registration >> vhost: fix vhost map leak >> vhost: reset invalidate_count in vhost_set_vring_num_addr() >> vhost: mark dirty pages during map uninit >> vhost: don't do synchronize_rcu() in vhost_uninit_vq_maps() >> vhost: do not use RCU to synchronize MMU notifier with worker >> vhost: correctly set dirty pages in MMU notifiers callback >> vhost: do not return -EAGAIN for non blocking invalidation too ear...

...e4/kdc/wdc-samba4.c: krb5_error_code samba_wdc_get_pac() calls 1.) source4/kdc/pac-glue.c: samba_kdc_get_pac_blob() /* The user account may be set not to want the PAC */ ... *_pac_blob = NULL; and then calls 2. source4/kdc/pac-glue.c: samba_make_krb5_pac() which tries to use uninitalized "pac_blob" and segfaults A simple patch is attached that solved the problem for me. Bye, Marcel

On Tue, Jul 23, 2019 at 03:57:18AM -0400, Jason Wang wrote: > There's no need for RCU synchronization in vhost_uninit_vq_maps() > since we've already serialized with readers (memory accessors). This > also avoid the possible userspace DOS through ioctl() because of the > possible high latency caused by synchronize_rcu(). > > Reported-by: Michael S. Tsirkin <mst at redhat.com> > Fixes:...

...es introduced by meta data accelreation series. Please review. Jason Wang (6): vhost: don't set uaddr for invalid address vhost: validate MMU notifier registration vhost: fix vhost map leak vhost: reset invalidate_count in vhost_set_vring_num_addr() vhost: mark dirty pages during map uninit vhost: don't do synchronize_rcu() in vhost_uninit_vq_maps() drivers/vhost/vhost.c | 56 +++++++++++++++++++++++++++++++------------ drivers/vhost/vhost.h | 1 + 2 files changed, 42 insertions(+), 15 deletions(-) -- 2.18.1