lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 24 May 2017 12:34:19 +0100
From:   Paolo Valente <paolo.valente@...aro.org>
To:     "Gustavo A. R. Silva" <garsilva@...eddedor.com>
Cc:     Jens Axboe <axboe@...nel.dk>, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [block] question about potential null pointer dereference


> Il giorno 23 mag 2017, alle ore 22:52, Gustavo A. R. Silva <garsilva@...eddedor.com> ha scritto:
> 
> 
> Hello everybody,
> 

Hi

> While looking into Coverity ID 1408828 I ran into the following piece of code at block/bfq-wf2q.c:542:
> 
> 542static struct rb_node *bfq_find_deepest(struct rb_node *node)
> 543{
> 544        struct rb_node *deepest;
> 545
> 546        if (!node->rb_right && !node->rb_left)
> 547                deepest = rb_parent(node);
> 548        else if (!node->rb_right)
> 549                deepest = node->rb_left;
> 550        else if (!node->rb_left)
> 551                deepest = node->rb_right;
> 552        else {
> 553                deepest = rb_next(node);
> 554                if (deepest->rb_right)
> 555                        deepest = deepest->rb_right;
> 556                else if (rb_parent(deepest) != node)
> 557                        deepest = rb_parent(deepest);
> 558        }
> 559
> 560        return deepest;
> 561}
> 
> The issue here is that there is a potential NULL pointer dereference at line 554, in case function rb_next() returns NULL.
> 

Can rb_next(node) return NULL, although node is guaranteed to have both
a left and a right child at line 554?

Thanks,
Paolo

> Maybe a patch like the following could be applied in order to avoid any chance of a NULL pointer dereference:
> 
> index 8726ede..28d8b90 100644
> --- a/block/bfq-wf2q.c
> +++ b/block/bfq-wf2q.c
> @@ -551,6 +551,8 @@ static struct rb_node *bfq_find_deepest(struct rb_node *node)
>                deepest = node->rb_right;
>        else {
>                deepest = rb_next(node);
> +               if (!deepest)
> +                       return NULL;
>                if (deepest->rb_right)
>                        deepest = deepest->rb_right;
>                else if (rb_parent(deepest) != node)
> 
> What do you think?
> 
> I'd really appreciate any comment on this.
> 
> Thank you!
> --
> Gustavo A. R. Silva
> 
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ