| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Oct 2021 22:45:13 +0800
From: kernel test robot <lkp@...el.com>
To: Ziyang Xuan <william.xuanziyang@...wei.com>, rafael@...nel.org,
daniel.lezcano@...aro.org
Cc: llvm@...ts.linux.dev, kbuild-all@...ts.01.org, rui.zhang@...el.com,
linux-pm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] thermal/core: fix a UAF bug in
__thermal_cooling_device_register()
Hi Ziyang,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on rafael-pm/thermal]
[also build test WARNING on v5.15-rc5 next-20211013]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Ziyang-Xuan/thermal-core-fix-a-UAF-bug-in-__thermal_cooling_device_register/20211014-164859
base: https://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm.git thermal
config: hexagon-randconfig-r005-20211014 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 6c76d0101193aa4eb891a6954ff047eda2f9cf71)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/fb39770678d4d898891ede9121c811844b5f2890
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Ziyang-Xuan/thermal-core-fix-a-UAF-bug-in-__thermal_cooling_device_register/20211014-164859
git checkout fb39770678d4d898891ede9121c811844b5f2890
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 ARCH=hexagon
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
All warnings (new ones prefixed by >>):
>> drivers/thermal/thermal_core.c:901:6: warning: variable 'ret' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (id < 0)
^~~~~~
drivers/thermal/thermal_core.c:949:17: note: uninitialized use occurs here
return ERR_PTR(ret);
^~~
drivers/thermal/thermal_core.c:901:2: note: remove the 'if' if its condition is always false
if (id < 0)
^~~~~~~~~~~
drivers/thermal/thermal_core.c:890:13: note: initialize the variable 'ret' to silence this warning
int id, ret;
^
= 0
1 warning generated.
vim +901 drivers/thermal/thermal_core.c
866
867 /**
868 * __thermal_cooling_device_register() - register a new thermal cooling device
869 * @np: a pointer to a device tree node.
870 * @type: the thermal cooling device type.
871 * @devdata: device private data.
872 * @ops: standard thermal cooling devices callbacks.
873 *
874 * This interface function adds a new thermal cooling device (fan/processor/...)
875 * to /sys/class/thermal/ folder as cooling_device[0-*]. It tries to bind itself
876 * to all the thermal zone devices registered at the same time.
877 * It also gives the opportunity to link the cooling device to a device tree
878 * node, so that it can be bound to a thermal zone created out of device tree.
879 *
880 * Return: a pointer to the created struct thermal_cooling_device or an
881 * ERR_PTR. Caller must check return value with IS_ERR*() helpers.
882 */
883 static struct thermal_cooling_device *
884 __thermal_cooling_device_register(struct device_node *np,
885 const char *type, void *devdata,
886 const struct thermal_cooling_device_ops *ops)
887 {
888 struct thermal_cooling_device *cdev;
889 struct thermal_zone_device *pos = NULL;
890 int id, ret;
891
892 if (!ops || !ops->get_max_state || !ops->get_cur_state ||
893 !ops->set_cur_state)
894 return ERR_PTR(-EINVAL);
895
896 cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
897 if (!cdev)
898 return ERR_PTR(-ENOMEM);
899
900 id = ida_simple_get(&thermal_cdev_ida, 0, 0, GFP_KERNEL);
> 901 if (id < 0)
902 goto out_kfree_cdev;
903 cdev->id = id;
904
905 cdev->type = kstrdup(type ? type : "", GFP_KERNEL);
906 if (!cdev->type) {
907 ret = -ENOMEM;
908 goto out_ida_remove;
909 }
910
911 mutex_init(&cdev->lock);
912 INIT_LIST_HEAD(&cdev->thermal_instances);
913 cdev->np = np;
914 cdev->ops = ops;
915 cdev->updated = false;
916 cdev->device.class = &thermal_class;
917 cdev->devdata = devdata;
918 thermal_cooling_device_setup_sysfs(cdev);
919 dev_set_name(&cdev->device, "cooling_device%d", cdev->id);
920 ret = device_register(&cdev->device);
921 if (ret)
922 goto out_kfree_type;
923
924 /* Add 'this' new cdev to the global cdev list */
925 mutex_lock(&thermal_list_lock);
926 list_add(&cdev->node, &thermal_cdev_list);
927 mutex_unlock(&thermal_list_lock);
928
929 /* Update binding information for 'this' new cdev */
930 bind_cdev(cdev);
931
932 mutex_lock(&thermal_list_lock);
933 list_for_each_entry(pos, &thermal_tz_list, node)
934 if (atomic_cmpxchg(&pos->need_update, 1, 0))
935 thermal_zone_device_update(pos,
936 THERMAL_EVENT_UNSPECIFIED);
937 mutex_unlock(&thermal_list_lock);
938
939 return cdev;
940
941 out_kfree_type:
942 kfree(cdev->type);
943 put_device(&cdev->device);
944 cdev = NULL;
945 out_ida_remove:
946 ida_simple_remove(&thermal_cdev_ida, id);
947 out_kfree_cdev:
948 kfree(cdev);
949 return ERR_PTR(ret);
950 }
951
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (31512 bytes)
Powered by blists - more mailing lists