lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9cc681c217a449519aee524b35e6b6bc@realtek.com>
Date:   Mon, 18 Oct 2021 03:35:28 +0000
From:   Pkshih <pkshih@...ltek.com>
To:     Colin King <colin.king@...onical.com>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta


> -----Original Message-----
> From: Colin King <colin.king@...onical.com>
> Sent: Friday, October 15, 2021 11:46 PM
> To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> netdev@...r.kernel.org
> Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> 
> From: Colin Ian King <colin.king@...onical.com>
> 
> The pointer rtwsta is dereferencing pointer sta before sta is
> being null checked, so there is a potential null pointer deference
> issue that may occur. Fix this by only assigning rtwsta after sta
> has been null checked. Add in a null pointer check on rtwsta before
> dereferencing it too.
> 
> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> Addresses-Coverity: ("Dereference before null check")
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> ---
>  drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> b/drivers/net/wireless/realtek/rtw89/core.c
> index 06fb6e5b1b37..26f52a25f545 100644
> --- a/drivers/net/wireless/realtek/rtw89/core.c
> +++ b/drivers/net/wireless/realtek/rtw89/core.c
> @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
>  {
>  	struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
>  	struct ieee80211_sta *sta = txq->sta;
> -	struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;

'sta->drv_priv' is only a pointer, we don't really dereference the
data right here, so I think this is safe. More, compiler can optimize
this instruction that reorder it to the place just right before using.
So, it seems like a false alarm.

> +	struct rtw89_sta *rtwsta;
> 
> -	if (!sta || rtwsta->max_agg_wait <= 0)
> +	if (!sta)
> +		return false;
> +	rtwsta = (struct rtw89_sta *)sta->drv_priv;
> +	if (!rtwsta)
> +		return false;
> +	if (rtwsta->max_agg_wait <= 0)
>  		return false;
> 
>  	if (rtwdev->stats.tx_tfc_lv <= RTW89_TFC_MID)

I check the size of object files before/after this patch, and
the original one is smaller.

   text    data     bss     dec     hex filename
  16781    3392       1   20174    4ece core-0.o  // original
  16819    3392       1   20212    4ef4 core-1.o  // after this patch

Do you think it is worth to apply this patch?

--
Ping-Ke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ