| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Aug 2014 11:45:08 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Nick Krause <xerofoify@...il.com>
CC: Greg KH <gregkh@...uxfoundation.org>,
"devel@...verdev.osuosl.org" <devel@...verdev.osuosl.org>,
lisa@...apiadmin.com, Ben Hutchings <ben@...adent.org.uk>,
Valentina Manea <valentina.manea.m@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] staging: Check against NULL in fw_download_code
On 08/11/14 11:26, Nick Krause wrote:
> On Mon, Aug 11, 2014 at 2:07 PM, Randy Dunlap <rdunlap@...radead.org> wrote:
>> On 08/11/14 11:04, Nick Krause wrote:
>>> On Mon, Aug 11, 2014 at 2:02 PM, Nicholas Krause <xerofoify@...il.com> wrote:
>>>> I am fixing the bug entry , https://bugzilla.kernel.org/show_bug.cgi?id=60461.
>>>> This entry states that we are not checking the skb allocated in fw_download_code
>>>> and after checking I fixed it to check for the NULL value before using the allocate
>>>> skb.
>>>>
>>>> Signed-off-by: Nicholas Krause <xerofoify@...il.com>
>>>> ---
>>>> drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c | 14 ++++++++------
>>>> 1 file changed, 8 insertions(+), 6 deletions(-)
>>>>
>>>> diff --git a/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c b/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
>>>> index 1a95d1f..0a4c926 100644
>>>> --- a/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
>>>> +++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_firmware.c
>>>> @@ -60,13 +60,15 @@ static bool fw_download_code(struct net_device *dev, u8 *code_virtual_address,
>>>>
>>>> }
>>>>
>>>> - skb = dev_alloc_skb(frag_length + 4);
>>>> - memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
>>>> - tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
>>>> - tcb_desc->queue_index = TXCMD_QUEUE;
>>>> - tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_INIT;
>>>> - tcb_desc->bLastIniPkt = bLastIniPkt;
>>>>
>>>> + skb = dev_alloc_skb(frag_length + 4);
>>>> + if (skb) {
>>>> + memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
>>>> + tcb_desc = (struct cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);
>>>> + tcb_desc->queue_index = TXCMD_QUEUE;
>>>> + tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_INIT;
>>>> + tcb_desc->bLastIniPkt = bLastIniPkt;
>>>> + }
>>
>> and what happens here (below) if skb is NULL?
Nick,
I'm asking if you have completely fixed the bug or only partially fixed it.
The answer is that the patch is only a partial fix. If skb is NULL, there
is still a problem in the statement below here. The kernel will oops on
that reference to skb, which is NULL.
>>
>>>> seg_ptr = skb->data;
>>>> for (i = 0; i < frag_length; i += 4) {
>>>> *seg_ptr++ = ((i+0) < frag_length) ?
>>>> --
>>>> 1.9.1
>>>>
>>> And I did check it against Linus's tree to make sure it applies , just
>>> to let you known.
>>> Nick
>>
>>
>> --
>> ~Randy
> Sorry Randy.
> I may be mis reading this, but are you asking me to write a different
> commit message or is this patch just another bad patch in my series of
> bad patches?
--
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists