| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jan 2022 16:57:40 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Damien Le Moal <damien.lemoal@...nsource.wdc.com>
Cc: Zhou Qingyang <zhou1615@....edu>, kjlu@....edu,
Alexander Shiyan <shc_work@...l.ru>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Jens Axboe <axboe@...nel.dk>, linux-ide@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ata: pata_platform: Fix a NULL pointer dereference in
__pata_platform_probe()
On Fri, Jan 28, 2022 at 08:50:04PM +0900, Damien Le Moal wrote:
> On 1/28/22 19:11, Greg KH wrote:
> > On Tue, Jan 25, 2022 at 12:45:25AM +0800, Zhou Qingyang wrote:
> >> In __pata_platform_probe(), devm_kzalloc() is assigned to ap->ops and
> >> there is a dereference of it right after that, which could introduce a
> >> NULL pointer dereference bug.
> >>
> >> Fix this by adding a NULL check of ap->ops.
> >>
> >> This bug was found by a static analyzer.
> >>
> >> Builds with 'make allyesconfig' show no new warnings,
> >> and our static analyzer no longer warns about this code.
> >>
> >> Fixes: f3d5e4f18dba ("ata: pata_of_platform: Allow to use 16-bit wide data transfer")
> >> Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> >> ---
> >
> > As stated in the past, please do not make contributions to the Linux
> > kernel until umn.edu has properly resolved its development issues.
>
> Aouch. My apologies. I forgot about this. Thank you for the reminder.
>
> >
> >> The analysis employs differential checking to identify inconsistent
> >> security operations (e.g., checks or kfrees) between two code paths
> >> and confirms that the inconsistent operations are not recovered in the
> >> current function or the callers, so they constitute bugs.
> >>
> >> Note that, as a bug found by static analysis, it can be a false
> >> positive or hard to trigger. Multiple researchers have cross-reviewed
> >> the bug.
> >>
> >> drivers/ata/pata_platform.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/drivers/ata/pata_platform.c b/drivers/ata/pata_platform.c
> >> index 028329428b75..021ef9cbcbc1 100644
> >> --- a/drivers/ata/pata_platform.c
> >> +++ b/drivers/ata/pata_platform.c
> >> @@ -128,6 +128,8 @@ int __pata_platform_probe(struct device *dev, struct resource *io_res,
> >> ap = host->ports[0];
> >>
> >> ap->ops = devm_kzalloc(dev, sizeof(*ap->ops), GFP_KERNEL);
> >> + if (ap->ops)
> >> + return -ENOMEM;
> >
> > This change seems to leak memory. Damien, please revert it.
>
> I fixed the patch when applying, so there is no leak.
Really? What happened to the memory that ata_host_alloc() created above
this call? How is that freed?
> This is a genuine (potential) bug fix.
As I tell others, how can kmalloc() ever fail here, so odd of this being
a real bugfix are so low it's not funny. So take these types of
cleanups as a last-resort only after you have strongly validated that
they are correct. The current group of people trying to do these fixes
have a horrible track-record and are getting things wrong way more than
they should be. And so it is worse having code that "looks" correct vs.
something that is "obviously we need to handle this some day".
> Must I revert ?
If it's buggy you should, see my above question about ata_host_alloc(),
is there a cleanup path somewhere that I am missing?
thanks,
greg k-h
Powered by blists - more mailing lists