lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 14 Feb 2018 08:57:51 +1000
From:   Ben Skeggs <bskeggs@...hat.com>
To:     "Gustavo A. R. Silva" <garsilva@...eddedor.com>
Cc:     David Airlie <airlied@...ux.ie>, dri-devel@...ts.freedesktop.org,
        nouveau@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [drm-nouveau-mmu] question about potential NULL pointer dereference

On Wed, Feb 14, 2018 at 1:40 AM, Gustavo A. R. Silva
<garsilva@...eddedor.com> wrote:
>
> Hi all,
>
> While doing some static analysis I ran into the following piece of code at
> drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c:957:
>
>  957#define node(root, dir) ((root)->head.dir == &vmm->list) ? NULL :
> \
>  958        list_entry((root)->head.dir, struct nvkm_vma, head)
>  959
>  960void
>  961nvkm_vmm_unmap_region(struct nvkm_vmm *vmm, struct nvkm_vma *vma)
>  962{
>  963        struct nvkm_vma *next;
>  964
>  965        nvkm_memory_tags_put(vma->memory, vmm->mmu->subdev.device,
> &vma->tags);
>  966        nvkm_memory_unref(&vma->memory);
>  967
>  968        if (vma->part) {
>  969                struct nvkm_vma *prev = node(vma, prev);
>  970                if (!prev->memory) {
>  971                        prev->size += vma->size;
>  972                        rb_erase(&vma->tree, &vmm->root);
>  973                        list_del(&vma->head);
>  974                        kfree(vma);
>  975                        vma = prev;
>  976                }
>  977        }
>  978
>  979        next = node(vma, next);
>  980        if (next && next->part) {
>  981                if (!next->memory) {
>  982                        vma->size += next->size;
>  983                        rb_erase(&next->tree, &vmm->root);
>  984                        list_del(&next->head);
>  985                        kfree(next);
>  986                }
>  987        }
>  988}
>
> The issue here is that in case _node_ returns NULL, _prev_ is not being null
> checked, hence there is a potential null pointer dereference at line 970.
>
> Notice that _next_ is being null checked at line 980, so I wonder if _prev_
> should be checked the same as _next_.
>
> The fact that both _next_ and next->part are null checked, makes me wonder
> if in case _prev_ actually needs to be checked, there is another pointer
> contained into _prev_ to be validated as well? I'm sorry, this is not clear
> to me at this moment.
It's not checked because it can't happen.  If vma->part is set, there
will be a previous node that it was split from.

Ben.

>
> I appreciate your feedback
> Thank you
> --
> Gustavo
>
>
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ