lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 2 May 2020 12:29:08 +0300
From:   Maxim Petrov <mmrmaximuzz@...il.com>
To:     Giuseppe Cavallaro <peppe.cavallaro@...com>,
        Alexandre Torgue <alexandre.torgue@...com>,
        Jose Abreu <joabreu@...opsys.com>,
        "David S. Miller" <davem@...emloft.net>,
        Maxime Coquelin <mcoquelin.stm32@...il.com>
Cc:     mmrmaximuzz@...il.com, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] stmmac: fix pointer check after utilization in
 stmmac_interrupt

The paranoidal pointer check in IRQ handler looks very strange - it
really protects us only against bogus drivers which request IRQ line
with null pointer dev_id. However, the code fragment is incorrect
because the dev pointer is used before the actual check. That leads
to undefined behavior thus compilers are free to remove the pointer
check at all.

Signed-off-by: Maxim Petrov <mmrmaximuzz@...il.com>
---
 .../net/ethernet/stmicro/stmmac/stmmac_main.c | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 565da6498c84..ca08699f5565 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -4070,24 +4070,28 @@ static int stmmac_set_features(struct net_device *netdev,
  */
 static irqreturn_t stmmac_interrupt(int irq, void *dev_id)
 {
-	struct net_device *dev = (struct net_device *)dev_id;
-	struct stmmac_priv *priv = netdev_priv(dev);
-	u32 rx_cnt = priv->plat->rx_queues_to_use;
-	u32 tx_cnt = priv->plat->tx_queues_to_use;
+	u32 rx_cnt;
+	u32 tx_cnt;
 	u32 queues_count;
 	u32 queue;
 	bool xmac;
+	struct stmmac_priv *priv;
+	struct net_device *dev = (struct net_device *)dev_id;
 
+	if (unlikely(!dev)) {
+		netdev_err(NULL, "%s: invalid dev pointer\n", __func__);
+		return IRQ_NONE;
+	}
+
+	priv = netdev_priv(dev);
+	rx_cnt = priv->plat->rx_queues_to_use;
+	tx_cnt = priv->plat->tx_queues_to_use;
 	xmac = priv->plat->has_gmac4 || priv->plat->has_xgmac;
 	queues_count = (rx_cnt > tx_cnt) ? rx_cnt : tx_cnt;
 
 	if (priv->irq_wake)
 		pm_wakeup_event(priv->device, 0);
 
-	if (unlikely(!dev)) {
-		netdev_err(priv->dev, "%s: invalid dev pointer\n", __func__);
-		return IRQ_NONE;
-	}
 
 	/* Check if adapter is up */
 	if (test_bit(STMMAC_DOWN, &priv->state))

base-commit: 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c
-- 
2.17.1

Powered by blists - more mailing lists