lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6601006.JhxPbakEoc@localhost.localdomain>
Date:   Tue, 24 Aug 2021 14:01:02 +0200
From:   "Fabio M. De Francesco" <fmdefrancesco@...il.com>
To:     Larry Finger <Larry.Finger@...inger.net>,
        Phillip Potter <phil@...lpotter.co.uk>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
        Pavel Skripkin <paskripkin@...il.com>
Subject: Re: [PATCH 1/2] staging: r8188eu: Use usb_control_msg_recv/send() in usbctrl_vendorreq()

On Tuesday, August 24, 2021 1:07:46 PM CEST Pavel Skripkin wrote:
> 
> Btw, not related to your patch, but I start think, that this check:
> 
> 
> 	if (!pIo_buf) {
> 		DBG_88E("[%s] pIo_buf == NULL\n", __func__);
> 		status = -ENOMEM;
> 		goto release_mutex;
> 	}
> 
> Should be wrapped as
> 
> 	if (WARN_ON(unlikely(!pIo_buf)) {
> 		...
> 	}
> 
> Since usb_vendor_req_buf is initialized in ->probe() and I can't see 
> possible calltrace, which can cause zeroing this pointer.

I see that usb_vendor_req_buf is initialized in rtw_init_intf_priv(). It depends on a 
kzalloc() success on allocating memory. Obviously it could fail to allocate. If it fails,
rtw_init_intf_priv() returns _FAIL to its caller(s) (whichever they are - I didn't go too 
deep in understanding the possible calls chains).

What does really matter is that dvobjpriv->usb_vendor_req_buf _could_ _indeed_ _be_
in an _un-initialized_ _status_ when it is assigned to pIo_buf.  

> Something _completely_ wrong is going on if usb_vendor_req_buf is NULL, 
> and we should complain loud about it. What do you think?

That "if (!pIo_buf)" in usbctrl_vendorreq() manages a possible but remote (I guess)
un-initialization by releasing a mutex and returning -ENOMEM.

I think that technically speaking it would suffice if callers read and manage properly 
the -ENOMEM returned by usbctrl_vendorreq(). 

Said that, I have no sufficient experience to say if exiting and returning -ENOMEM would
suffice to not make happen "_something _completely_ wrong_" or if a WARN_ON is required.
I'm sorry for not being able to go beyond the confirmation that indeed dvobjpriv->usb_vendor_req
could be un-initialized.

Regards,

Fabio

> With regards,
> Pavel Skripkin
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ