linux-kernel - Re: [PATCH v2] mmc: bcm2835: fix potential null pointer dereferences

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date:   Mon, 29 May 2017 16:42:45 +0200
From:   Ulf Hansson <ulf.hansson@...aro.org>
To:     "Gustavo A. R. Silva" <garsilva@...eddedor.com>
Cc:     Stefan Wahren <stefan.wahren@...e.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        Ray Jui <rjui@...adcom.com>,
        Scott Branden <sbranden@...adcom.com>,
        BCM Kernel Feedback <bcm-kernel-feedback-list@...adcom.com>,
        Eric Anholt <eric@...olt.net>,
        "linux-mmc@...r.kernel.org" <linux-mmc@...r.kernel.org>,
        linux-rpi-kernel@...ts.infradead.org,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] mmc: bcm2835: fix potential null pointer dereferences

On 25 May 2017 at 19:04, Gustavo A. R. Silva <garsilva@...eddedor.com> wrote:
> Null check at line 1165: if (mrq->cmd), implies that mrq->cmd might
> be NULL.
> Add null checks before dereferencing pointer mrq->cmd in order to avoid
> any potential NULL pointer dereference.
>
> Addresses-Coverity-ID: 1408740
> Tested-by: Stefan Wahren <stefan.wahren@...e.com>
> Signed-off-by: Gustavo A. R. Silva <garsilva@...eddedor.com>

Thanks, applied for next!

Kind regards
Uffe

> ---
> Changes in v2:
>  Change subject to make it clear the patch is bcm2835 related.
>
>  drivers/mmc/host/bcm2835.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/mmc/host/bcm2835.c b/drivers/mmc/host/bcm2835.c
> index 1f343a4..abba9a2 100644
> --- a/drivers/mmc/host/bcm2835.c
> +++ b/drivers/mmc/host/bcm2835.c
> @@ -1172,7 +1172,10 @@ static void bcm2835_request(struct mmc_host *mmc, struct mmc_request *mrq)
>         if (mrq->data && !is_power_of_2(mrq->data->blksz)) {
>                 dev_err(dev, "unsupported block size (%d bytes)\n",
>                         mrq->data->blksz);
> -               mrq->cmd->error = -EINVAL;
> +
> +               if (mrq->cmd)
> +                       mrq->cmd->error = -EINVAL;
> +
>                 mmc_request_done(mmc, mrq);
>                 return;
>         }
> @@ -1194,7 +1197,10 @@ static void bcm2835_request(struct mmc_host *mmc, struct mmc_request *mrq)
>                         readl(host->ioaddr + SDCMD) & SDCMD_CMD_MASK,
>                         edm);
>                 bcm2835_dumpregs(host);
> -               mrq->cmd->error = -EILSEQ;
> +
> +               if (mrq->cmd)
> +                       mrq->cmd->error = -EILSEQ;
> +
>                 bcm2835_finish_request(host);
>                 mutex_unlock(&host->mutex);
>                 return;
> @@ -1207,7 +1213,7 @@ static void bcm2835_request(struct mmc_host *mmc, struct mmc_request *mrq)
>                         if (!host->use_busy)
>                                 bcm2835_finish_command(host);
>                 }
> -       } else if (bcm2835_send_command(host, mrq->cmd)) {
> +       } else if (mrq->cmd && bcm2835_send_command(host, mrq->cmd)) {
>                 if (host->data && host->dma_desc) {
>                         /* DMA transfer starts now, PIO starts after irq */
>                         bcm2835_start_dma(host);
> --
> 2.5.0
>