Skip to content

修复单向列表移除节点时存在的安全风险. #10377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Rbb666 merged 1 commit into from
Jun 13, 2025
Merged

修复单向列表移除节点时存在的安全风险. #10377

Rbb666 merged 1 commit into from
Jun 13, 2025

Conversation

@Vandoul
Copy link
Contributor

@Vandoul Vandoul commented Jun 10, 2025
edited
Loading

拉取/合并请求描述:(PR description)

[

为什么提交这份PR (why to submit this PR)

内核提供的单向链表存在安全风险

你的解决方案是什么 (what is your solution)

将被移除的节点的next指针指向NULL

请提供验证的bsp和config (provide the config and bsp)

  • BSP:不涉及BSP
  • .config:不涉及.config
  • action:

]

当前拉取/合并请求的状态 Intent for your PR

必须选择一项 Choose one (Mandatory):

  • 本拉取/合并请求是一个草稿版本 This PR is for a code-review and is intended to get feedback
  • 本拉取/合并请求是一个成熟版本 This PR is mature, and ready to be integrated into the repo

代码质量 Code Quality:

我在这个拉取/合并请求中已经考虑了 As part of this pull request, I've considered the following:

  • 已经仔细查看过代码改动的对比 Already check the difference between PR and old code
  • 代码风格正确,包括缩进空格,命名及其他风格 Style guide is adhered to, including spacing, naming and other styles
  • 没有垃圾代码,代码尽量精简,不包含#if 0代码,不包含已经被注释了的代码 All redundant code is removed and cleaned up
  • 所有变更均有原因及合理的,并且不会影响到其他软件组件代码或BSP All modifications are justified and not affect other components or BSP
  • 对难懂代码均提供对应的注释 I've commented appropriately where code is tricky
  • 代码是高质量的 Code in this PR is of high quality
  • 已经使用formatting 等源码格式化工具确保格式符合RT-Thread代码规范 This PR complies with RT-Thread code specification
  • 如果是新增bsp, 已经添加ci检查到.github/workflows/bsp_buildings.yml 详细请参考链接BSP自查

@Vandoul
修复单向列表移除节点时存在的安全风险.
d879776 
Signed-off-by: vandoul <vandoul@ticks.cn>
GorrayLi
GorrayLi reviewed Jun 10, 2025
View reviewed changes
Copy link
Contributor

@GorrayLi GorrayLi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. rt_slist_pop()中这一处,个人不建议加。理由是,函数的返回值是弹出的节点,即调用者可能会用到它(不一定只用到其data信息),因此尽量不要破坏被移除节点中的原始信息。例如,调用者可通过返回node的next指针是否为空,判断其是否为最后一个节点。
    若出于安全考虑,不妨在调用处,根据实际使用场景决定是否对node的next指针赋空。
  2. rt_slist_remove()中这一处,同意修改。被移除的节点与链表断开连接,避免误用而意外修改链表结构。

@Vandoul
Copy link
Contributor Author

Vandoul commented Jun 10, 2025
edited
Loading

  1. rt_slist_pop()中这一处,个人不建议加。理由是,函数的返回值是弹出的节点,即调用者可能会用到它(不一定只用到其data信息),因此尽量不要破坏被移除节点中的原始信息。例如,调用者可通过返回node的next指针是否为空,判断其是否为最后一个节点。
    若出于安全考虑,不妨在调用处,根据实际使用场景决定是否对node的next指针赋空。
  2. rt_slist_remove()中这一处,同意修改。被移除的节点与链表断开连接,避免误用而意外修改链表结构。

rt_slist_pop中弹出的是首节点,判断是否为最后一个节点可以通过list头去判断,这样符合的使用逻辑,
比如通过pop出来的节点去循环pop就会破坏原来list的结构;
让调用者去直接使用next风险还是很大的,会衍生出来很多不可控的用法,也可能成为一个攻击点。
所以个人觉得还是应该把next置空,已经pop出去或移除的节点不应该还有对list操作权限。

@Rbb666 Rbb666 added the Kernel PR has src relate code label Jun 13, 2025
@Rbb666 Rbb666 merged commit 169d84d into RT-Thread:master Jun 13, 2025
60 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rbb666 Rbb666 Rbb666 approved these changes

+1 more reviewer

@GorrayLi GorrayLi GorrayLi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Kernel PR has src relate code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Vandoul @GorrayLi @Rbb666