lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <1395130095.13308.0.camel@AMDC1943>
Date:	Tue, 18 Mar 2014 09:08:15 +0100
From:	Krzysztof Kozlowski <k.kozlowski@...sung.com>
To:	Jonathan Cameron <jic23@...nel.org>
Cc:	linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
	Beomho Seo <beomho.seo@...sung.com>,
	Lars-Peter Clausen <lars@...afoo.de>
Subject: Re: [PATCH] iio: cm36651: Fix i2c client leak and possible NULL
 pointer dereference

On Mon, 2014-03-17 at 19:24 +0000, Jonathan Cameron wrote:
> On 17/03/14 08:01, Krzysztof Kozlowski wrote:
> > Hi,
> >
> > On Sat, 2014-03-15 at 16:24 +0000, Jonathan Cameron wrote:
> >> On 06/03/14 09:33, Krzysztof Kozlowski wrote:
> >>> During probe the driver allocates dummy I2C devices (i2c_new_dummy())
> >>> but they aren't unregistered during driver remove or probe failure.
> >>>
> >>> Additionally driver does not check the return value of i2c_new_dummy().
> >>> In case of error (i2c_new_device(): memory allocation failure or I2C
> >>> address cannot be used) this function returns NULL which is later
> >>> dereferenced by i2c_smbus_{read,write}_data() functions.
> >>>
> >>> Fix issues by properly checking for i2c_new_dummy() return value and
> >>> unregistering I2C devices on driver remove or probe failure.
> >>>
> >>> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@...sung.com>
> >> Good catch, but the error path needs more care.
> >>> ---
> >>>    drivers/iio/light/cm36651.c |   12 ++++++++++++
> >>>    1 file changed, 12 insertions(+)
> >>>
> >>> diff --git a/drivers/iio/light/cm36651.c b/drivers/iio/light/cm36651.c
> >>> index a45e07492db3..e7e9a597159f 100644
> >>> --- a/drivers/iio/light/cm36651.c
> >>> +++ b/drivers/iio/light/cm36651.c
> >>> @@ -653,6 +653,11 @@ static int cm36651_probe(struct i2c_client *client,
> >>>    	cm36651->ps_client = i2c_new_dummy(client->adapter,
> >>>    						     CM36651_I2C_ADDR_PS);
> >>>    	cm36651->ara_client = i2c_new_dummy(client->adapter, CM36651_ARA);
> >>> +	if (!cm36651->ps_client || !cm36651->ara_client) {
> >>> +		dev_err(&client->dev, "%s: new i2c device failed\n", __func__);
> >>> +		ret = -ENODEV;
> >>> +		goto error_i2c_unregister;
> >>> +	}
> >> The two failures need to be handled independently as we only want to unregister
> >> those that succeeded.  i2c_new_dummy will not return an error and leave a device
> >> registered.  This is particularly true given the first thing that i2c_unregister_device
> >> does is to derefence the client pointer.  That will cause a segfault if you do it
> >> for NULL as here.
> >>
> >
> > Where the segfault would occur? If i2c_new_dummy fails then
> > i2c_unregister_device() will be called only on NON-null values:
> > 	+error_i2c_unregister:
> > 	+	if (cm36651->ps_client)
> > 	+		i2c_unregister_device(cm36651->ps_client);
> > 	+	if (cm36651->ara_client)
> > 	+		i2c_unregister_device(cm36651->ara_client);
> >
> > If probe() succeeds (both i2c_new_dummy return proper pointer) then
> > remove() will unregister two i2c devices.
> >
> Oops, I missed that.  Still, the form of this is unusual so please
> change it to the more conventional option of a goto per error rather
> than grouping them.  That will also allow you to drop the null checks
> below leading to a more obviously correct error path.

Sure, I'll send a fixed version.

Best regards,
Krzysztof


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ