lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b8a27d63-c214-0af6-7ad0-b82402208e3b@molgen.mpg.de>
Date:   Wed, 12 Jul 2023 11:25:20 +0200
From:   Paul Menzel <pmenzel@...gen.mpg.de>
To:     Chris Lu (陸稚泓) <Chris.Lu@...iatek.com>
Cc:     marcel@...tmann.org, linux-kernel@...r.kernel.org,
        linux-mediatek@...ts.infradead.org,
        linux-bluetooth@...r.kernel.org, johan.hedberg@...il.com,
        Steve Lee (李視誠) <steve.lee@...iatek.com>,
        Sean Wang <Sean.Wang@...iatek.com>,
        Aaron Hou (侯俊仰) <Aaron.Hou@...iatek.com>,
        Luiz Augusto von Dentz <luiz.dentz@...il.com>
Subject: Re: [PATCH v3] Bluetooth: btmtk: Fix null pointer when processing
 coredump

Dear Chris,


Am 12.07.23 um 10:53 schrieb Chris Lu (陸稚泓):
> On Wed, 2023-07-12 at 08:11 +0200, Paul Menzel wrote:
>>   	
>> External email : Please do not click links or open attachments until
>> you have verified the sender or the content.

(It’d be nice if you removed such (automatically added) phrases from 
your reply.)

> Thanks for your review and feedback to Mediatek's Bluetooth driver
> code.

Thank you for your reply.

>> Am 12.07.23 um 07:18 schrieb Chris Lu:
>>> There may be a potential null pointer risk if offset value is
>>> less than 0 when doing memcmp in btmtk_process_coredump().
>>> Checking offset is valid before doing memcmp.
>>
>> Use imperative mood: Check offset …
>>
>>> Signed-off-by: Chris Lu <chris.lu@...iatek.com>
>>> Co-developed-by: Sean Wang <sean.wang@...iatek.com>
>>> Signed-off-by: Sean Wang <sean.wang@...iatek.com>
>>> ---
>>> v2: fix typo
>>> v3: fix bot checking error
>>> ---
>>>    drivers/bluetooth/btmtk.c | 16 ++++++++--------
>>>    1 file changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
>>> index 786f775196ae..0f290430ae0e 100644
>>> --- a/drivers/bluetooth/btmtk.c
>>> +++ b/drivers/bluetooth/btmtk.c
>>> @@ -370,7 +370,7 @@ EXPORT_SYMBOL_GPL(btmtk_register_coredump);
>>>    int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
>>>    {
>>>    struct btmediatek_data *data = hci_get_priv(hdev);
>>> -int err;
>>> +int err, offset;
>>>    
>>>    if (!IS_ENABLED(CONFIG_DEV_COREDUMP))
>>>    return 0;
>>> @@ -392,15 +392,15 @@ int btmtk_process_coredump(struct hci_dev
>> *hdev, struct sk_buff *skb)
>>>    if (err < 0)
>>>    break;
>>>    data->cd_info.cnt++;
>>> +offset = skb->len - sizeof(MTK_COREDUMP_END);
>>
>> For `sizeof()` shouldn’t you use `size_t`? But that is unsigned of
>> course. Maybe ssize_t then?
>
> yes, it's better to use ssize_t or size_t, I'll change declaratins of
> offset from int to ssize_t.
> 
>>>    
>>>    /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
>>> -if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
>>> -    skb->len > sizeof(MTK_COREDUMP_END) &&
>>> -    !memcmp((char *)&skb->data[skb->len - sizeof(MTK_COREDUMP_END)],
>>> -    MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
>>> -bt_dev_info(hdev, "Mediatek coredump end");
>>> -hci_devcd_complete(hdev);
>>> -}
>>> +if (data->cd_info.cnt > MTK_COREDUMP_NUM && offset > 0)
>>
>> Why not keep it like before, and just add the condition `skb->len <
>> sizeof(MTK_COREDUMP_END)`? The compiler is probably going to optimize
>> so the value is not calculated twice.

> The reason why I send this patch is when I backport devcoredump feature
> to specific project with older kernel version, the compiler might not
> so optimized that it would cause kernel panic when run into memcmp.
> As a result, make sure `skb->len > sizeof(MTK_COREDUMP_END) ` before
> doing memcmp part can avoid null pointer issue.
> Besides, only in condition 'data->cd_info.cnt > MTK_COREDUMP_NUM &&
> offset > 0' need to do memcmp to check the end of coredump. Driver do
> noting with condition `skb->len < sizeof(MTK_COREDUMP_END) ` that
> additional condiction is not really necessary.

Just to avoid misunderstandings, my point, to add the comparison and get 
rid of the variable `offset`.


Kind regards,

Paul


>>> +if (!memcmp((char *)&skb->data[offset], MTK_COREDUMP_END,
>>> +    sizeof(MTK_COREDUMP_END) - 1)) {
>>> +bt_dev_info(hdev, "Mediatek coredump end");
>>> +hci_devcd_complete(hdev);
>>> +}
>>>    
>>>    break;
>>>    }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ