| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Jul 2023 08:11:41 +0200
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Chris Lu <chris.lu@...iatek.com>
Cc: Marcel Holtmann <marcel@...tmann.org>,
Johan Hedberg <johan.hedberg@...il.com>,
Luiz Von Dentz <luiz.dentz@...il.com>,
Sean Wang <sean.wang@...iatek.com>,
Aaron Hou <aaron.hou@...iatek.com>,
Steve Lee <steve.lee@...iatek.com>,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mediatek@...ts.infradead.org
Subject: Re: [PATCH v3] Bluetooth: btmtk: Fix null pointer when processing
coredump
Dear Chris,
Am 12.07.23 um 07:18 schrieb Chris Lu:
> There may be a potential null pointer risk if offset value is
> less than 0 when doing memcmp in btmtk_process_coredump().
> Checking offset is valid before doing memcmp.
Use imperative mood: Check offset …
> Signed-off-by: Chris Lu <chris.lu@...iatek.com>
> Co-developed-by: Sean Wang <sean.wang@...iatek.com>
> Signed-off-by: Sean Wang <sean.wang@...iatek.com>
> ---
> v2: fix typo
> v3: fix bot checking error
> ---
> drivers/bluetooth/btmtk.c | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index 786f775196ae..0f290430ae0e 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -370,7 +370,7 @@ EXPORT_SYMBOL_GPL(btmtk_register_coredump);
> int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
> {
> struct btmediatek_data *data = hci_get_priv(hdev);
> - int err;
> + int err, offset;
>
> if (!IS_ENABLED(CONFIG_DEV_COREDUMP))
> return 0;
> @@ -392,15 +392,15 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
> if (err < 0)
> break;
> data->cd_info.cnt++;
> + offset = skb->len - sizeof(MTK_COREDUMP_END);
For `sizeof()` shouldn’t you use `size_t`? But that is unsigned of
course. Maybe ssize_t then?
>
> /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
> - if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
> - skb->len > sizeof(MTK_COREDUMP_END) &&
> - !memcmp((char *)&skb->data[skb->len - sizeof(MTK_COREDUMP_END)],
> - MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
> - bt_dev_info(hdev, "Mediatek coredump end");
> - hci_devcd_complete(hdev);
> - }
> + if (data->cd_info.cnt > MTK_COREDUMP_NUM && offset > 0)
Why not keep it like before, and just add the condition `skb->len <
sizeof(MTK_COREDUMP_END)`? The compiler is probably going to optimize so
the value is not calculated twice.
Kind regards,
Paul
> + if (!memcmp((char *)&skb->data[offset], MTK_COREDUMP_END,
> + sizeof(MTK_COREDUMP_END) - 1)) {
> + bt_dev_info(hdev, "Mediatek coredump end");
> + hci_devcd_complete(hdev);
> + }
>
> break;
> }
Powered by blists - more mailing lists