| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <77ba52f4-dcdc-4fdd-97b7-0163e54e8836@mandelbit.com>
Date: Wed, 30 Oct 2024 22:06:36 +0100
From: Antonio Quartulli <antonio@...delbit.com>
To: Mario Limonciello <mario.limonciello@....com>
Cc: amd-gfx@...ts.freedesktop.org, alexander.deucher@....com,
christian.koenig@....com, Xinhui.Pan@....com,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] amdgpu: prevent NULL pointer dereference if ATIF is not
supported
Hi Mario,
On 30/10/2024 02:41, Mario Limonciello wrote:
> On 10/29/2024 18:32, Antonio Quartulli wrote:
>> acpi_evaluate_object() may return AE_NOT_FOUND (failure), which
>> would result in dereferencing buffer.pointer (obj) while being NULL.
>>
>> Bail out also when status is AE_NOT_FOUND with a proper error message.
>>
>> This fixes 1 FORWARD_NULL issue reported by Coverity
>> Report: CID 1600951: Null pointer dereferences (FORWARD_NULL)
>>
>> Signed-off-by: Antonio Quartulli <antonio@...delbit.com>
>
> I'm not really sure how realistic this failure is. Can you share the
> full call trace that Coverity identified?
I just checked Coverity Scan and it only says:
5. Condition status, taking true branch.
6. Condition status != 5U /* (acpi_status)(5 | 0) */, taking false branch.
The above points are related to:
if (ACPI_FAILURE(status) && status != AE_NOT_FOUND)
It doesn't show how acpi_evaluate_object() is expected to return
AE_NOT_FOUND.
This said, if you think this case is unrealistic, why do you check for
"status != AE_NOT_FOUND" at all?
At this point maybe it would make more sense to simply drop this check
and always bail out with the current error message.
Basically a patch with the following only:
- /* Fail if calling the method fails and ATIF is supported */
- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
+ /* Fail if calling the method fails */
+ if (ACPI_FAILURE(status)) {
This way we don't make a fuzz for a possibly unrealistic case, while
still protecting against bugs and null-dereferences.
Regards,
>
> amdgpu_atif_pci_probe_handle() will check whether the handle is
> available in the first place. We'll never this this far if that failed.
>
> Because of that I don't follow how this could return AE_NOT_FOUND.
>> ---
>> drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 11 +++++++----
>> 1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/
>> drm/amd/amdgpu/amdgpu_acpi.c
>> index cce85389427f..f10c3261a4ab 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
>> @@ -172,10 +172,13 @@ static union acpi_object
>> *amdgpu_atif_call(struct amdgpu_atif *atif,
>> &buffer);
>> obj = (union acpi_object *)buffer.pointer;
>> - /* Fail if calling the method fails and ATIF is supported */
>> - if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
>> - DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n",
>> - acpi_format_exception(status));
>> + /* Fail if calling the method fails */
>> + if (ACPI_FAILURE(status)) {
>> + if (status != AE_NOT_FOUND)
>> + DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n",
>> + acpi_format_exception(status));
>> + else
>> + DRM_DEBUG_DRIVER("ATIF not supported\n");
>> kfree(obj);
>> return NULL;
>> }
>
--
Antonio Quartulli
CEO and Co-Founder
Mandelbit Srl
https://www.mandelbit.com
Powered by blists - more mailing lists