lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <YfPC1aFxtt9TazL9@kroah.com>
Date:   Fri, 28 Jan 2022 11:17:57 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Zhou Qingyang <zhou1615@....edu>
Cc:     kjlu@....edu, "Rafael J. Wysocki" <rafael@...nel.org>,
        Len Brown <lenb@...nel.org>, Lv Zheng <lv.zheng@...el.com>,
        linux-acpi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ACPI / tables: Fix a NULL pointer dereference in
 acpi_table_initrd_override()

On Tue, Jan 25, 2022 at 12:42:51AM +0800, Zhou Qingyang wrote:
> In acpi_table_initrd_override(), the return value of acpi_os_map_memory()
> is assigned to table and there is a dereference of it after that.
> acpi_os_map_memory() will return NULL on failure, which may lead to NULL
> pointer dereference.
> 
> Fix this bug by adding a NULL check of table.
> 
> This bug was found by a static analyzer.
> 
> Builds with 'make allyesconfig' show no new warnings,
> and our static analyzer no longer warns about this code.
> 
> Fixes: 5ae74f2cc2f1 ("ACPI / tables: Move table override mechanisms to tables.c")
> Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> ---
> The analysis employs differential checking to identify inconsistent 
> security operations (e.g., checks or kfrees) between two code paths 
> and confirms that the inconsistent operations are not recovered in the
> current function or the callers, so they constitute bugs. 
> 
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
> 
>  drivers/acpi/tables.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
> index 0741a4933f62..8b10c192ed32 100644
> --- a/drivers/acpi/tables.c
> +++ b/drivers/acpi/tables.c
> @@ -696,6 +696,10 @@ acpi_table_initrd_override(struct acpi_table_header *existing_table,
>  	while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
>  		table = acpi_os_map_memory(acpi_tables_addr + table_offset,
>  					   ACPI_HEADER_SIZE);
> +		if (!table) {
> +			return AE_NO_MEMORY;
> +		}
> +
>  		if (table_offset + table->length > all_tables_size) {
>  			acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
>  			WARN_ON(1);
> -- 
> 2.25.1
> 

As stated before, umn.edu is still not allowed to contribute to the
Linux kernel.  Please work with your administration to resolve this
issue.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ