lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 2 Aug 2021 13:44:41 -0700
From:   Brian Norris <>
To:     Li Tuo <>
Cc:     amit karwar <>,
        Ganapathi Bhat <>,
        Sharvari Harisangam <>,
        Xinming Hu <>,
        Kalle Valo <>,
        "David S. Miller" <>,
        Jakub Kicinski <>,
        linux-wireless <>,
        "<>" <>,
        Linux Kernel <>,
Subject: Re: [BUG] mwifiex: possible null-pointer dereference in mwifiex_dnld_cmd_to_fw()


On Fri, Jul 30, 2021 at 9:13 PM Li Tuo <> wrote:
> Our static analysis tool finds a possible null-pointer dereference in
> the mwifiex driver in Linux 5.14.0-rc3:

Wouldn't be the first time a static analysis tool tripped up over
excessively redundant "safety" checks :)

For example:

> The variable cmd_node->cmd_skb->data is assigned to the variable
> host_cmd, and host_cmd is checked in:
> 190:    if (host_cmd == NULL || host_cmd->size == 0)
> This indicates that host_cmd can be NULL.
> If so, the function mwifiex_recycle_cmd_node() will be called with the
> argument cmd_node:
> 196:    mwifiex_recycle_cmd_node(adapter, cmd_node);
> In this called function, the variable cmd_node->cmd_skb->data is
> assigned to the variable host_cmd, too.
> Thus the variable host_cmd in the function mwifiex_recycle_cmd_node()
> can be also NULL.
> However, it is dereferenced when calling le16_to_cpu():
> 144:    le16_to_cpu(host_cmd->command)
> I am not quite sure whether this possible null-pointer dereference is
> real and how to fix it if it is real.
> Any feedback would be appreciated, thanks!

I doubt it's real; the NULL check is probably excessive. I don't think
there's any case in which such skb's will have no ->data. If you're
interested, you could test and submit a "fix" to drop the excess


Powered by blists - more mailing lists