lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <532da9fc-d241-a8a4-217a-22c1429d43a3@intel.com>
Date:   Mon, 7 Mar 2022 10:30:10 +0800
From:   Yujie Liu <yujie.liu@...el.com>
To:     Vincent Mailhol <mailhol.vincent@...adoo.fr>,
        Marc Kleine-Budde <mkl@...gutronix.de>,
        <linux-can@...r.kernel.org>
CC:     <linux-kernel@...r.kernel.org>, kernel test robot <lkp@...el.com>
Subject: Re: [PATCH] can: etas_es58x: initialize rx_event_msg before calling
 es58x_check_msg_len()

Hi Vincent,

On 3/6/2022 18:13, Vincent Mailhol wrote:
> Function es58x_fd_rx_event() invokes the es58x_check_msg_len() macro:
> | 	ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> While doing so, it deferences an uninitialized variable: *rx_event_msg.
> 
> This is actually harmless because es58x_check_msg_len() only uses
> preprocessors macro (sizeof() and __stringify()) on
> *rx_event_msg. c.f. [1].
> 
> Nonetheless, this pattern is confusing so the lines are reordered to
> make sure that rx_event_msg is correctly initialized.
> 
> This patch also fixes a false positive warning reported by cppcheck:
> 
> | cppcheck possible warnings: (new ones prefixed by >>, may not be real problems)
> |
> |     In file included from drivers/net/can/usb/etas_es58x/es58x_fd.c:
> |  >> drivers/net/can/usb/etas_es58x/es58x_fd.c:174:8: warning: Uninitialized variable: rx_event_msg [uninitvar]
> |      ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> |            ^
> 
> [1] https://elixir.bootlin.com/linux/latest/source/drivers/net/can/usb/etas_es58x/es58x_core.h#L467
> 
> Reported-by: kernel test robot <yujie.liu@...el.com>
> Signed-off-by: Vincent Mailhol <mailhol.vincent@...adoo.fr>
> ---
> As discussed in
> https://lore.kernel.org/linux-can/20220302130423.ddd2ulldffpo5lb2@pengutronix.de/T/#u,
> no need to backport this patch because this is not a fix.
> 
> @Yujie Liu: I added the "Reported-by: kernel test robot". This being a
> false positive, let me know if you would like to remove the tag in
> order not to mess with you statistics.

Actually we did some analysis similar to those in the report mail thread, and noticed
that it was a false positive, but we still sent out the report since the code at here
is not consistent with other function in the same patch. We should have made this
clearer in the original report.

Since "Reported-by" tag is dedicated for reporting a real bug, so please kindly remove
the tag in this patch, thanks.

Regards,
Yujie

> ---
>   drivers/net/can/usb/etas_es58x/es58x_fd.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/net/can/usb/etas_es58x/es58x_fd.c b/drivers/net/can/usb/etas_es58x/es58x_fd.c
> index 88d2540abbbe..c97ffa71fd75 100644
> --- a/drivers/net/can/usb/etas_es58x/es58x_fd.c
> +++ b/drivers/net/can/usb/etas_es58x/es58x_fd.c
> @@ -173,12 +173,11 @@ static int es58x_fd_rx_event_msg(struct net_device *netdev,
>   	const struct es58x_fd_rx_event_msg *rx_event_msg;
>   	int ret;
>   
> +	rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
>   	ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
>   	if (ret)
>   		return ret;
>   
> -	rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
> -
>   	return es58x_rx_err_msg(netdev, rx_event_msg->error_code,
>   				rx_event_msg->event_code,
>   				get_unaligned_le64(&rx_event_msg->timestamp));

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ