| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191028143406.GE1922@kadam>
Date: Mon, 28 Oct 2019 17:34:06 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Takashi Iwai <tiwai@...e.de>
Cc: syzbot <syzbot+0620f79a1978b1133fd7@...kaller.appspotmail.com>,
alsa-devel@...a-project.org, andreyknvl@...gle.com,
benquike@...il.com, g@...vu, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, perex@...ex.cz, rfontana@...hat.com,
syzkaller-bugs@...glegroups.com, tiwai@...e.com,
yuehaibing@...wei.com
Subject: Re: KASAN: slab-out-of-bounds Read in build_audio_procunit
I wish that this could have been detected with static analysis...
On Tue, Oct 22, 2019 at 05:45:14PM +0200, Takashi Iwai wrote:
> diff --git a/sound/usb/validate.c b/sound/usb/validate.c
> index 3c8f73a0eb12..a5e584b60dcd 100644
> --- a/sound/usb/validate.c
> +++ b/sound/usb/validate.c
> @@ -75,7 +75,7 @@ static bool validate_processing_unit(const void *p,
>
> if (d->bLength < sizeof(*d))
^^^^^^^^^^^^^^^^^^^^^^^
So we know that d->bLength is >= 10.
> return false;
> - len = d->bLength < sizeof(*d) + d->bNrInPins;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Len is 1 or 0.
> + len = sizeof(*d) + d->bNrInPins;
> if (d->bLength < len)
^^^^^^^^^^^^^^^^
So this condition can't be false.
> return false;
But it just makes this return into dead code and we have a lot of dead
code paths in the kernel so it doesn't make sense to generate a warning.
... I don't know if I have a solution.
Maybe some day we will have a vim pluggin which will highlight all the
dead paths and someone would notice that it that way.
regards,
dan carpenter
Powered by blists - more mailing lists