| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Oct 2021 03:35:28 +0000
From: Pkshih <pkshih@...ltek.com>
To: Colin King <colin.king@...onical.com>,
Kalle Valo <kvalo@...eaurora.org>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> -----Original Message-----
> From: Colin King <colin.king@...onical.com>
> Sent: Friday, October 15, 2021 11:46 PM
> To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> netdev@...r.kernel.org
> Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
>
> From: Colin Ian King <colin.king@...onical.com>
>
> The pointer rtwsta is dereferencing pointer sta before sta is
> being null checked, so there is a potential null pointer deference
> issue that may occur. Fix this by only assigning rtwsta after sta
> has been null checked. Add in a null pointer check on rtwsta before
> dereferencing it too.
>
> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> Addresses-Coverity: ("Dereference before null check")
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> ---
> drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> b/drivers/net/wireless/realtek/rtw89/core.c
> index 06fb6e5b1b37..26f52a25f545 100644
> --- a/drivers/net/wireless/realtek/rtw89/core.c
> +++ b/drivers/net/wireless/realtek/rtw89/core.c
> @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> {
> struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> struct ieee80211_sta *sta = txq->sta;
> - struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
'sta->drv_priv' is only a pointer, we don't really dereference the
data right here, so I think this is safe. More, compiler can optimize
this instruction that reorder it to the place just right before using.
So, it seems like a false alarm.
> + struct rtw89_sta *rtwsta;
>
> - if (!sta || rtwsta->max_agg_wait <= 0)
> + if (!sta)
> + return false;
> + rtwsta = (struct rtw89_sta *)sta->drv_priv;
> + if (!rtwsta)
> + return false;
> + if (rtwsta->max_agg_wait <= 0)
> return false;
>
> if (rtwdev->stats.tx_tfc_lv <= RTW89_TFC_MID)
I check the size of object files before/after this patch, and
the original one is smaller.
text data bss dec hex filename
16781 3392 1 20174 4ece core-0.o // original
16819 3392 1 20212 4ef4 core-1.o // after this patch
Do you think it is worth to apply this patch?
--
Ping-Ke
Powered by blists - more mailing lists