lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1186329183.3455.13.camel@localhost.localdomain>
Date:	Sun, 05 Aug 2007 10:53:03 -0500
From:	James Bottomley <James.Bottomley@...elEye.com>
To:	Jesper Juhl <jesper.juhl@...il.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	linux-scsi@...r.kernel.org, "Justin T. Gibbs" <gibbs@...iguy.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH][RESEND] Fix a potential NULL pointer deref in the
	aic7xxx, ahc_print_register() function

On Sun, 2007-08-05 at 17:36 +0200, Jesper Juhl wrote:
> On 04/08/07, James Bottomley <James.Bottomley@...eleye.com> wrote:
> > On Sat, 2007-08-04 at 20:30 +0200, Jesper Juhl wrote:
> > > (resend of patch previously submitted on 28-Jul-2007 23:06)
> > >
> > >
> > > Ehlo,
> > >
> > > The Coverity checker noticed that we have a potential NULL pointer
> > > deref in drivers/scsi/aic7xxx/aic7xxx_core.c::ahc_print_register().
> > > This patch handles it by adding the same test against NULL that is
> > > used elsewhere in the same function.
> >
> > It's on my list of things to look at ... but not very high.  I suspect
> > it actually isn't triggerable, but if you can tell me how, it will save
> > me from looking.
> >
> 
> Here's what Coverity reported :
> ...
> 6525 	int
> 6526 	ahc_print_register(ahc_reg_parse_entry_t *table, u_int num_entries,
> 6527 			   const char *name, u_int address, u_int value,
> 6528 			   u_int *cur_column, u_int wrap_point)
> 6529 	{
> 6530 		int	printed;
> 6531 		u_int	printed_mask;
> 6532 	
> 
> Event var_compare_op: Added "cur_column" due to comparison "cur_column != 0"
> Also see events: [var_deref_op]
> At conditional (1): "cur_column != 0" taking false path
> 
> 6533 		if (cur_column != NULL && *cur_column >= wrap_point) {
> 6534 			printf("\n");
> 6535 			*cur_column = 0;
> 6536 		}
> 6537 		printed = printf("%s[0x%x]", name, value);
> 
> At conditional (2): "table == 0" taking true path
> 
> 6538 		if (table == NULL) {
> 6539 			printed += printf(" ");
> 
> Event var_deref_op: Variable "cur_column" tracked as NULL was dereferenced.
> Also see events: [var_compare_op]
> 
> 6540 			*cur_column += printed;
> 6541 			return (printed);
> 6542 		}
> ...
> 
> So it requires a NULL 'table' and a != NULL 'cur_column' to trigger.
> Whether or not that's actually possible I'm not sure, but it seems
> safer to guard against it :)
> 
> 
> By the way; if this can actually be triggered, then
> ahd_print_register() has the same problem.

But this is precisely the point.  A large number of drivers have purely
internal functions, which this is.  Most often, because the API is
purely internal to the driver, misuse is reported via BUG_ON (supposed
to be picked up by the driver writer in their testing).  The problem
with this is that we never do:

BUG_ON(ptr==NULL);

Because a simple use of the null pointer will also trigger the bug, so
we don't need the check.

I suspect table == NULL requires cur_column != NULL as part of the
internal API and there's no BUG_ON checking for it because the use of
the pointer would be the BUG.

If you blindly go checking for NULL and coping with it, you've actually
weakened our internal API checking, which definitely isn't the object of
the exercise.  Worse, becase we have no maintainer for this driver
someone touching it could easily get this wrong and a subtle and much
harder to find bug will be introduced.

So, as I said, if you can prove

table == NULL && cur_column == NULL

should be a genuine use case of the API then by all means, this can go
in.

James


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ