lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151112135500.GA1131@ulmo>
Date:	Thu, 12 Nov 2015 14:55:00 +0100
From:	Thierry Reding <thierry.reding@...il.com>
To:	Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
Cc:	LABBE Corentin <montjoie.mailing@...il.com>,
	LABBE Corentin <clabbe.montjoie@...il.com>, gnurou@...il.com,
	ldewangan@...dia.com, swarren@...dotorg.org, wsa@...-dreams.de,
	linux-i2c@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-tegra@...r.kernel.org
Subject: Re: [PATCH] i2c: tegra: fix a possible NULL dereference

On Thu, Nov 12, 2015 at 02:45:20PM +0100, Uwe Kleine-König wrote:
> On Thu, Nov 12, 2015 at 02:28:37PM +0100, Thierry Reding wrote:
> > On Thu, Nov 12, 2015 at 01:54:22PM +0100, LABBE Corentin wrote:
> > > On Thu, Nov 12, 2015 at 01:29:23PM +0100, Thierry Reding wrote:
> > > > On Thu, Nov 12, 2015 at 08:26:03AM +0100, LABBE Corentin wrote:
> > > > > of_match_device could return NULL, and so cause a NULL pointer
> > > > 
> > > > No. There is no way that of_match_device() can ever fail. The driver
> > > > core uses the same table to match the OF device to the driver, so the
> > > > only case where of_match_device() would return NULL is if no match was
> > > > found, in which case the tegra_i2c_probe() function would never have
> > > > been called in the first place.
> > > > 
> > > > Thierry
> > > > 
> > > 
> > > In a parallel thread for i2c-rcar, the conclusion was different.
> > > https://lkml.org/lkml/2015/11/12/83
> > 
> > The conclusion was the same: there should be no case where this happens.
> > The example that Uwe gave is hypothetical and not valid DT in the first
> > place. So instead of chickening out I think it'd be better to just crash
> > to make sure people fix the DT.
> 
> It depends in your trust in the DT. Just because it's not advisable to
> do something that is not documented usually isn't a good excuse to not
> handle broken input. That't the case for webserver requests, arguments
> to system calls and several more. I admit DT is a bit special because
> you have to assume it's trusted, but still handling errors in a sane way
> is IMHO nice.

Given that it's supposed to be provided by firmware and possibly from a
ROM, crashing might be a better motivation for fixing it than erroring
out, which people might just ignore or not notice until it's too late.

> > On a side-note I think that platform_match() should be stricter and do
> > something like this instead:
> > 
> > 	if (dev->of_node) {
> > 		if (of_driver_match_device(dev, drv))
> > 			return 1;
> > 
> > 		return 0;
> > 	}
> That's equivalent to
> 
> 	if (dev->of_node)
> 		return of_driver_match_device(dev, drv);
> 
> and was already suggested in the thread referenced from my reply to
> http://article.gmane.org/gmane.linux.kernel/2083641 :-)

Ah, too many cross-reference =) FWIW:

Acked-by: Thierry Reding <treding@...dia.com>

If we want to gracefully handle this, then let's do it in the core by
making sure that drivers where it would return NULL are never probed,
rather than coding this check in every single driver.

Thierry

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ