lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2658b691-b992-b773-c6cf-85801adc479f@lwfinger.net> Date: Tue, 28 May 2019 08:00:24 -0500 From: Larry Finger <Larry.Finger@...inger.net> To: Kalle Valo <kvalo@...eaurora.org>, Jia-Ju Bai <baijiaju1990@...il.com> Cc: pkshih@...ltek.com, davem@...emloft.net, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] rtlwifi: Fix null-pointer dereferences in error handling code of rtl_pci_probe() On 5/28/19 6:55 AM, Kalle Valo wrote: > Jia-Ju Bai <baijiaju1990@...il.com> wrote: > >> *BUG 1: >> In rtl_pci_probe(), when rtlpriv->cfg->ops->init_sw_vars() fails, >> rtl_deinit_core() in the error handling code is executed. >> rtl_deinit_core() calls rtl_free_entries_from_scan_list(), which uses >> rtlpriv->scan_list.list in list_for_each_entry_safe(), but it has been >> initialized. Thus a null-pointer dereference occurs. >> The reason is that rtlpriv->scan_list.list is initialized by >> INIT_LIST_HEAD() in rtl_init_core(), which has not been called. >> >> To fix this bug, rtl_deinit_core() should not be called when >> rtlpriv->cfg->ops->init_sw_vars() fails. >> >> *BUG 2: >> In rtl_pci_probe(), rtl_init_core() can fail when rtl_regd_init() in >> this function fails, and rtlpriv->scan_list.list has not been >> initialized by INIT_LIST_HEAD(). Then, rtl_deinit_core() in the error >> handling code of rtl_pci_probe() is executed. Finally, a null-pointer >> dereference occurs due to the same reason of the above bug. >> >> To fix this bug, the initialization of lists in rtl_init_core() are >> performed before the call to rtl_regd_init(). >> >> These bugs are found by a runtime fuzzing tool named FIZZER written by >> us. >> >> Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com> > > Ping & Larry, is this ok to take? > Kalle, Not at the moment. In reviewing the code, I was unable to see how this situation could develop, and his backtrace did not mention any rtlwifi code. For that reason, I asked him to add printk stat4ements to show the last part of rtl_pci that executed correctly. In https://marc.info/?l=linux-wireless&m=155788322631134&w=2, he promised to do that, but I have not seen the result. Larry
Powered by blists - more mailing lists