lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri,  8 Mar 2024 00:19:28 +0300
From: Rand Deeb <rand.sec96@...il.com>
To: m@...s.ch
Cc: deeb.rand@...fident.ru,
	jonas.gorski@...il.com,
	khoroshilov@...ras.ru,
	kvalo@...nel.org,
	linux-kernel@...r.kernel.org,
	linux-wireless@...r.kernel.org,
	lvc-project@...uxtesting.org,
	rand.sec96@...il.com,
	voskresenski.stanislav@...fident.ru
Subject: Re: [PATCH v3] ssb: Fix potential NULL pointer dereference in ssb_device_uevent


On Thu, Mar 7, 2024 at 9:24 PM Michael Büsch <m@...s.ch> wrote:

> There is only one reason to eliminate NULL checks:
> In extremely performance critical code, if it improves performance
> significantly and it is clearly documented that the pointer can never be NULL.
>
> This is not that case here. This is not critical code.

Hi Michael, thank you for your collaboration and feedback.
Yes, I agree, this is not critical code, but what's the point of leaving 
redundant conditions even if they won't make a significant performance 
difference, regardless of the policy (In other words, as a friendly 
discussion) ?
Please take a look at https://git.kernel.org/netdev/net-next/c/92fc97ae9cfd
same situation but it has been applied ! why ?


> Having NULL checks is defensive programming.
> Removing NULL checks is a hazard.
> Not having these checks is a big part of why security sucks in today's software.

I understand and respect your point of view as software engineer but it's a
matter of design problems which is not our case here.
Defensive programming is typically applied when there's a potential risk, 
but in our scenario, it's impossible for 'dev' to be NULL. If we adopt this
approach as a form of defensive programming, we'd find ourselves adding 
similar conditions to numerous functions and parameters. Moreover, this 
would unnecessarily complicate the codebase, especially during reviews. For
instance, encountering such a condition might lead one to assume that 'dev'
could indeed be NULL before reaching this function. That's my viewpoint.

> V3 shall be applied, because it fixes a clear bug. Whether this bug can actually
> be triggered or not in today's kernel doesn't matter.

so would you recommend fix the commit message as Jeff Johnson recommended ?
or just keep it as it is ?

--
Best Regards
Rand Deeb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ