| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Mar 2024 18:12:51 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Simon Horman <horms@...nel.org>
Cc: Claus Hansen Ries <chr@...ma.com>, netdev@...r.kernel.org,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Michal Simek <michal.simek@....com>, Alex Elder <elder@...aro.org>,
Wei Fang <wei.fang@....com>,
Uwe Kleine-König <u.kleine-koenig@...gutronix.de>,
Rob Herring <robh@...nel.org>, Wang Hai <wanghai38@...wei.com>
Subject: Re: [PATCH] net: ll_temac: platform_get_resource replaced by wrong
function
On Wed, Mar 20, 2024 at 11:54:33AM +0000, Simon Horman wrote:
> > ---
> > drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
> > index 9df39cf8b097..1072e2210aed 100644
> > --- a/drivers/net/ethernet/xilinx/ll_temac_main.c
> > +++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
> > @@ -1443,7 +1443,7 @@ static int temac_probe(struct platform_device *pdev)
> > }
> > /* map device registers */
> > - lp->regs = devm_platform_ioremap_resource_byname(pdev, 0);
> > + lp->regs = devm_platform_ioremap_resource(pdev, 0);
This should have triggered a Sparse warning "warning: Using plain
integer as NULL pointer" but the problem is that this file does not have
correct endian annotations and after a certain number of warnings Sparse
gives up.
It's a bit tricky to check for this in Smatch because it's not
dereferenced unconditionally. Perhaps instead of asking "Does this
function always dereferences the parameter?" Smatch would ask, "Can
this function succeed with a NULL parameter?" I don't know... And
even that might not help here because the success path is complicated.
I can hard code this as a dereferenced parameter by adding it to
smatch_dereferences.c.
{ "devm_platform_ioremap_resource_byname", 1, "$" },
But adding functions one by one doesn't scale.
The other thing is that this kind of bug is normally caught in testing
so it's not really suited for static analysis. Normally the warnings
mean something weird is happening like it's COMPILE_TEST only code.
The common false positive is that the dereference is several steps away
and the function call table hasn't rebuilt enough to know that passing
a NULL used to be illegal but it's allowed now.
Looking at the warnings there is only one false positive:
net/netfilter/x_tables.c:1630 xt_mttg_seq_start() error: NULL dereference inside function 'xt_mttg_seq_next(seq, (0), (0), is_target)()'. '0' '(0)' 49 9
I'll investigate that. The rest seem like real bugs.
drivers/scsi/pcmcia/qlogic_stub.c:274 qlogic_resume() error: NULL dereference inside function 'qlogicfas408_host_reset((0))()'. '0' '(0)' 33 9
drivers/net/ethernet/cavium/liquidio/lio_main.c:810 liquidio_watchdog() error: NULL dereference inside function 'module_refcount((0))()'. '0' '(0)' 44 9
drivers/net/ethernet/nxp/lpc_eth.c:1401 lpc_eth_drv_probe() error: NULL dereference inside function 'lpc32xx_return_iram((0), (0))()'. '0' '(0)' 62 9
drivers/net/ethernet/nxp/lpc_eth.c:1401 lpc_eth_drv_probe() error: NULL dereference inside function 'lpc32xx_return_iram((0), (0))()'. '0' '(0)' 56 9
drivers/net/ethernet/nxp/lpc_eth.c:1428 lpc_eth_drv_remove() error: NULL dereference inside function 'lpc32xx_return_iram((0), (0))()'. '0' '(0)' 62 9
drivers/net/ethernet/nxp/lpc_eth.c:1428 lpc_eth_drv_remove() error: NULL dereference inside function 'lpc32xx_return_iram((0), (0))()'. '0' '(0)' 56 9
net/rxrpc/io_thread.c:454 rxrpc_io_thread() error: NULL dereference inside function 'rxrpc_input_conn_event(conn, (0))()'. '0' '(0)' 54 9
regards,
dan carpenter
Powered by blists - more mailing lists