lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 18 Jul 2022 12:20:06 +0300
From:   Subkhankulov Rustam <subkhankulov@...ras.ru>
To:     Will Deacon <will@...nel.org>
Cc:     Robin Murphy <robin.murphy@....com>,
        Joerg Roedel <joro@...tes.org>,
        linux-arm-kernel@...ts.infradead.org, iommu@...ts.linux.dev,
        linux-kernel@...r.kernel.org,
        Alexey Khoroshilov <khoroshilov@...ras.ru>,
        ldv-project@...uxtesting.org
Subject: [POSSIBLE BUG] iommu/io-pgtable-arm: possible dereferencing of NULL
 pointer

Version: 5-19-rc6

In function '__arm_lpae_alloc_pages' pointer 'dev' is compared with 
NULL at [drivers/iommu/io-pgtable-arm.c: 203]. This means that the 
pointer can be NULL.

-----------------------------------------------------------------------
203 	p = alloc_pages_node(dev ? dev_to_node(dev) : NUMA_NO_NODE,
204 			     gfp | __GFP_ZERO, order);
-----------------------------------------------------------------------

Then, if cfg->coherent_walk == 0 at [drivers/iommu/io-pgtable-arm.c: 
209], function 'dma_map_single', which is defined as 
'dma_map_single_attrs', is called and pointer dev is passed as 
first parameter.

-----------------------------------------------------------------------
209 	if (!cfg->coherent_walk) {
208 		dma = dma_map_single(dev, pages, size, DMA_TO_DEVICE);
-----------------------------------------------------------------------

Therefore, pointer 'dev' passed to function 'dev_driver_string' 
in macro 'dev_WARN_ONCE' at [include/linux/dma-mapping.h: 326], 
where it is dereferenced at [drivers/base/core.c: 2091].

-----------------------------------------------------------------------
2083	const char *dev_driver_string(const struct device *dev)
2084	{
2085		struct device_driver *drv;
2086
---
2091		drv = READ_ONCE(dev->driver);
-----------------------------------------------------------------------

Thus, if it is possible that 'dev' is null at the same time 
that flag 'coherent_walk' is 0, then NULL pointer will be 
dereferenced.

Should we somehow avoid NULL pointer dereference or is this 
situation impossible and we should remove comparison with NULL?

Found by Linux Verification Center (linuxtesting.org) with SVACE.

regards,
Rustam Subkhankulov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ