lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <bfc07f58-80d0-32bb-149f-db8f41672520@gmail.com>
Date:   Tue, 3 Aug 2021 10:34:12 +0800
From:   Li Tuo <islituo@...il.com>
To:     Brian Norris <briannorris@...omium.org>
Cc:     amit karwar <amitkarwar@...il.com>,
        Ganapathi Bhat <ganapathi017@...il.com>,
        Sharvari Harisangam <sharvari.harisangam@....com>,
        Xinming Hu <huxinming820@...il.com>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        linux-wireless <linux-wireless@...r.kernel.org>,
        netdev@...r.kernel.org,
        Linux Kernel <linux-kernel@...r.kernel.org>,
        baijiaju1990@...il.com
Subject: Re: [BUG] mwifiex: possible null-pointer dereference in
 mwifiex_dnld_cmd_to_fw()

Thanks for your feedback! I think we can test and submit a patch to drop
the excess check as the example you mentioned.

Best wishes,
Tuo Li


On 2021/8/3 4:44, Brian Norris wrote:
> Hi,
>
> On Fri, Jul 30, 2021 at 9:13 PM Li Tuo <islituo@...il.com> wrote:
>> Our static analysis tool finds a possible null-pointer dereference in
>> the mwifiex driver in Linux 5.14.0-rc3:
> Wouldn't be the first time a static analysis tool tripped up over
> excessively redundant "safety" checks :)
>
> For example:
> https://lore.kernel.org/linux-wireless/20210731163546.10753-1-len.baker@gmx.com/T/#u
>
>> The variable cmd_node->cmd_skb->data is assigned to the variable
>> host_cmd, and host_cmd is checked in:
>> 190:    if (host_cmd == NULL || host_cmd->size == 0)
>>
>> This indicates that host_cmd can be NULL.
>> If so, the function mwifiex_recycle_cmd_node() will be called with the
>> argument cmd_node:
>> 196:    mwifiex_recycle_cmd_node(adapter, cmd_node);
>>
>> In this called function, the variable cmd_node->cmd_skb->data is
>> assigned to the variable host_cmd, too.
>> Thus the variable host_cmd in the function mwifiex_recycle_cmd_node()
>> can be also NULL.
>> However, it is dereferenced when calling le16_to_cpu():
>> 144:    le16_to_cpu(host_cmd->command)
>>
>> I am not quite sure whether this possible null-pointer dereference is
>> real and how to fix it if it is real.
>> Any feedback would be appreciated, thanks!
> I doubt it's real; the NULL check is probably excessive. I don't think
> there's any case in which such skb's will have no ->data. If you're
> interested, you could test and submit a "fix" to drop the excess
> check.
>
> Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ