lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <35c096e5251f49c1abfbb51f761eab82@realtek.com>
Date:   Thu, 21 Oct 2021 05:46:15 +0000
From:   Pkshih <pkshih@...ltek.com>
To:     Kalle Valo <kvalo@...eaurora.org>
CC:     Colin King <colin.king@...onical.com>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta


> -----Original Message-----
> From: kvalo=codeaurora.org@...codeaurora.org <kvalo=codeaurora.org@...codeaurora.org> On Behalf Of Kalle
> Valo
> Sent: Wednesday, October 20, 2021 4:36 PM
> To: Pkshih <pkshih@...ltek.com>
> Cc: Colin King <colin.king@...onical.com>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> <kuba@...nel.org>; linux-wireless@...r.kernel.org; netdev@...r.kernel.org;
> kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> 
> Pkshih <pkshih@...ltek.com> writes:
> 
> >> -----Original Message-----
> >> From: kvalo=codeaurora.org@...codeaurora.org
> >> <kvalo=codeaurora.org@...codeaurora.org> On
> >> Behalf Of Kalle Valo
> >> Sent: Monday, October 18, 2021 8:12 PM
> >> To: Pkshih <pkshih@...ltek.com>
> >> Cc: Colin King <colin.king@...onical.com>; David S . Miller
> >> <davem@...emloft.net>; Jakub
> >> Kicinski <kuba@...nel.org>; linux-wireless@...r.kernel.org; netdev@...r.kernel.org;
> >> kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> >> Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> >>
> >> Pkshih <pkshih@...ltek.com> writes:
> >>
> >> >> -----Original Message-----
> >> >> From: Colin King <colin.king@...onical.com>
> >> >> Sent: Friday, October 15, 2021 11:46 PM
> >> >> To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> >> >> <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> >> >> netdev@...r.kernel.org
> >> >> Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> >> >> Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> >> >>
> >> >> From: Colin Ian King <colin.king@...onical.com>
> >> >>
> >> >> The pointer rtwsta is dereferencing pointer sta before sta is
> >> >> being null checked, so there is a potential null pointer deference
> >> >> issue that may occur. Fix this by only assigning rtwsta after sta
> >> >> has been null checked. Add in a null pointer check on rtwsta before
> >> >> dereferencing it too.
> >> >>
> >> >> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> >> >> Addresses-Coverity: ("Dereference before null check")
> >> >> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> >> >> ---
> >> >>  drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
> >> >>  1 file changed, 7 insertions(+), 2 deletions(-)
> >> >>
> >> >> diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> >> >> b/drivers/net/wireless/realtek/rtw89/core.c
> >> >> index 06fb6e5b1b37..26f52a25f545 100644
> >> >> --- a/drivers/net/wireless/realtek/rtw89/core.c
> >> >> +++ b/drivers/net/wireless/realtek/rtw89/core.c
> >> >> @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> >> >>  {
> >> >>  	struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> >> >>  	struct ieee80211_sta *sta = txq->sta;
> >> >> -	struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
> >> >
> >> > 'sta->drv_priv' is only a pointer, we don't really dereference the
> >> > data right here, so I think this is safe. More, compiler can optimize
> >> > this instruction that reorder it to the place just right before using.
> >> > So, it seems like a false alarm.
> >> >
> >> >> +	struct rtw89_sta *rtwsta;
> >> >>
> >> >> -	if (!sta || rtwsta->max_agg_wait <= 0)
> >> >> +	if (!sta)
> >> >> +		return false;
> >> >> +	rtwsta = (struct rtw89_sta *)sta->drv_priv;
> >> >> +	if (!rtwsta)
> >> >> +		return false;
> >> >> +	if (rtwsta->max_agg_wait <= 0)
> >> >>  		return false;
> >> >>
> >> >>  	if (rtwdev->stats.tx_tfc_lv <= RTW89_TFC_MID)
> >> >
> >> > I check the size of object files before/after this patch, and
> >> > the original one is smaller.
> >> >
> >> >    text    data     bss     dec     hex filename
> >> >   16781    3392       1   20174    4ece core-0.o  // original
> >> >   16819    3392       1   20212    4ef4 core-1.o  // after this patch
> >> >
> >> > Do you think it is worth to apply this patch?
> >>
> >> I think that we should apply the patch. Even though the compiler _may_
> >> reorder the code, it might choose not to do that.
> >
> > Understand.
> >
> > I have another way to fix this coverity warning, like:
> >
> > @@ -1617,7 +1617,7 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> >  {
> >         struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> >         struct ieee80211_sta *sta = txq->sta;
> > -       struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
> > +       struct rtw89_sta *rtwsta = sta ? (struct rtw89_sta *)sta->drv_priv : NULL;
> >
> >         if (!sta || rtwsta->max_agg_wait <= 0)
> >                 return false;
> >
> > Is this acceptable?
> > It has a little redundant checking of 'sta', but the code looks clean.
> 
> I feel that Colin's fix is more readable, but this is just matter of
> taste. You can choose.

I would like my version. 

There are three similar warnings reported by smatch, so I will fix them by
myself. Please drop this patch. 
But, still thank Colin to point out this issue.

--
Ping-Ke


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ