| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 May 2017 11:10:51 +0300
From: Felipe Balbi <balbi@...nel.org>
To: "Gustavo A. R. Silva" <garsilva@...eddedor.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michal Nazarewicz <mina86@...a86.com>
Cc: linux-geode@...ts.infradead.org, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org,
Peter Senna Tschudin <peter.senna@...il.com>
Subject: Re: [usb-gadget-udc] question about null check after calling phys_to_virt() function
Hi,
"Gustavo A. R. Silva" <garsilva@...eddedor.com> writes:
> Hello everybody,
>
> While looking into Coverity ID 145958 I ran into the following piece
> of code at drivers/usb/gadget/udc/amd5536udc.c:852:
>
> } else if (i == buf_len) {
> /* first td */
> td = (struct udc_data_dma *)phys_to_virt(
> req->td_data->next);
> td->status = 0;
> } else {
> td = (struct udc_data_dma *)phys_to_virt(last->next);
> td->status = 0;
> }
>
> if (td)
> td->bufptr = req->req.dma + i; /* assign buffer */
> else
> break;
>
> The issue here is that _td_ pointer is being dereferenced before null check.
>
> After searching for calls to phys_to_virt() function, I've noticed
> that is not common at all to test the returned address value.
>
> So either the null check at line 862 is not needed or a null check
> before each td->status = 0; needs to be added.
just remove the previous null check
--
balbi
Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists