lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d8f82d97496c73c01521dbbce5455ad23521036c.camel@mediatek.com>
Date:   Wed, 12 Jul 2023 08:53:14 +0000
From:   Chris Lu (陸稚泓) <Chris.Lu@...iatek.com>
To:     "pmenzel@...gen.mpg.de" <pmenzel@...gen.mpg.de>
CC:     "marcel@...tmann.org" <marcel@...tmann.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-mediatek@...ts.infradead.org" 
        <linux-mediatek@...ts.infradead.org>,
        "linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>,
        "johan.hedberg@...il.com" <johan.hedberg@...il.com>,
        Steve Lee (李視誠) <steve.lee@...iatek.com>,
        Sean Wang <Sean.Wang@...iatek.com>,
        Aaron Hou (侯俊仰) <Aaron.Hou@...iatek.com>,
        "luiz.dentz@...il.com" <luiz.dentz@...il.com>
Subject: Re: [PATCH v3] Bluetooth: btmtk: Fix null pointer when processing
 coredump

On Wed, 2023-07-12 at 08:11 +0200, Paul Menzel wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  Dear Chris,
> 
Dear Paul,

Thanks for your review and feedback to Mediatek's Bluetooth driver
code.

> 
> Am 12.07.23 um 07:18 schrieb Chris Lu:
> > There may be a potential null pointer risk if offset value is
> > less than 0 when doing memcmp in btmtk_process_coredump().
> > Checking offset is valid before doing memcmp.
> 
> Use imperative mood: Check offset …
> 
> > Signed-off-by: Chris Lu <chris.lu@...iatek.com>
> > Co-developed-by: Sean Wang <sean.wang@...iatek.com>
> > Signed-off-by: Sean Wang <sean.wang@...iatek.com>
> > ---
> > v2: fix typo
> > v3: fix bot checking error
> > ---
> >   drivers/bluetooth/btmtk.c | 16 ++++++++--------
> >   1 file changed, 8 insertions(+), 8 deletions(-)
> > 
> > diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> > index 786f775196ae..0f290430ae0e 100644
> > --- a/drivers/bluetooth/btmtk.c
> > +++ b/drivers/bluetooth/btmtk.c
> > @@ -370,7 +370,7 @@ EXPORT_SYMBOL_GPL(btmtk_register_coredump);
> >   int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff
> *skb)
> >   {
> >   struct btmediatek_data *data = hci_get_priv(hdev);
> > -int err;
> > +int err, offset;
> >   
> >   if (!IS_ENABLED(CONFIG_DEV_COREDUMP))
> >   return 0;
> > @@ -392,15 +392,15 @@ int btmtk_process_coredump(struct hci_dev
> *hdev, struct sk_buff *skb)
> >   if (err < 0)
> >   break;
> >   data->cd_info.cnt++;
> > +offset = skb->len - sizeof(MTK_COREDUMP_END);
> 
> For `sizeof()` shouldn’t you use `size_t`? But that is unsigned of 
> course. Maybe ssize_t then?
> 
yes, it's better to use ssize_t or size_t, I'll change declaratins of
offset from int to ssize_t.

> >   
> >   /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
> > -if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
> > -    skb->len > sizeof(MTK_COREDUMP_END) &&
> > -    !memcmp((char *)&skb->data[skb->len -
> sizeof(MTK_COREDUMP_END)],
> > -    MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
> > -bt_dev_info(hdev, "Mediatek coredump end");
> > -hci_devcd_complete(hdev);
> > -}
> > +if (data->cd_info.cnt > MTK_COREDUMP_NUM && offset > 0)
> 
> Why not keep it like before, and just add the condition `skb->len < 
> sizeof(MTK_COREDUMP_END)`? The compiler is probably going to optimize
> so 
> the value is not calculated twice.
> 
> 
> Kind regards,
> 
> Paul
> 
> 
The reason why I send this patch is when I backport devcoredump feature
to specific project with older kernel version, the compiler might not
so optimized that it would cause kernel panic when run into memcmp.
As a result, make sure `skb->len > sizeof(MTK_COREDUMP_END) ` before
doing memcmp part can avoid null pointer issue.
Besides, only in condition 'data->cd_info.cnt > MTK_COREDUMP_NUM &&
offset > 0' need to do memcmp to check the end of coredump. Driver do
noting with condition `skb->len < sizeof(MTK_COREDUMP_END) ` that
additional condiction is not really necessary.

> > +if (!memcmp((char *)&skb->data[offset], MTK_COREDUMP_END,
> > +    sizeof(MTK_COREDUMP_END) - 1)) {
> > +bt_dev_info(hdev, "Mediatek coredump end");
> > +hci_devcd_complete(hdev);
> > +}
> >   
> >   break;
> >   }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ