| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Oct 2021 05:46:15 +0000
From: Pkshih <pkshih@...ltek.com>
To: Kalle Valo <kvalo@...eaurora.org>
CC: Colin King <colin.king@...onical.com>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> -----Original Message-----
> From: kvalo=codeaurora.org@...codeaurora.org <kvalo=codeaurora.org@...codeaurora.org> On Behalf Of Kalle
> Valo
> Sent: Wednesday, October 20, 2021 4:36 PM
> To: Pkshih <pkshih@...ltek.com>
> Cc: Colin King <colin.king@...onical.com>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> <kuba@...nel.org>; linux-wireless@...r.kernel.org; netdev@...r.kernel.org;
> kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
>
> Pkshih <pkshih@...ltek.com> writes:
>
> >> -----Original Message-----
> >> From: kvalo=codeaurora.org@...codeaurora.org
> >> <kvalo=codeaurora.org@...codeaurora.org> On
> >> Behalf Of Kalle Valo
> >> Sent: Monday, October 18, 2021 8:12 PM
> >> To: Pkshih <pkshih@...ltek.com>
> >> Cc: Colin King <colin.king@...onical.com>; David S . Miller
> >> <davem@...emloft.net>; Jakub
> >> Kicinski <kuba@...nel.org>; linux-wireless@...r.kernel.org; netdev@...r.kernel.org;
> >> kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> >> Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> >>
> >> Pkshih <pkshih@...ltek.com> writes:
> >>
> >> >> -----Original Message-----
> >> >> From: Colin King <colin.king@...onical.com>
> >> >> Sent: Friday, October 15, 2021 11:46 PM
> >> >> To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> >> >> <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> >> >> netdev@...r.kernel.org
> >> >> Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> >> >> Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> >> >>
> >> >> From: Colin Ian King <colin.king@...onical.com>
> >> >>
> >> >> The pointer rtwsta is dereferencing pointer sta before sta is
> >> >> being null checked, so there is a potential null pointer deference
> >> >> issue that may occur. Fix this by only assigning rtwsta after sta
> >> >> has been null checked. Add in a null pointer check on rtwsta before
> >> >> dereferencing it too.
> >> >>
> >> >> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> >> >> Addresses-Coverity: ("Dereference before null check")
> >> >> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> >> >> ---
> >> >> drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
> >> >> 1 file changed, 7 insertions(+), 2 deletions(-)
> >> >>
> >> >> diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> >> >> b/drivers/net/wireless/realtek/rtw89/core.c
> >> >> index 06fb6e5b1b37..26f52a25f545 100644
> >> >> --- a/drivers/net/wireless/realtek/rtw89/core.c
> >> >> +++ b/drivers/net/wireless/realtek/rtw89/core.c
> >> >> @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> >> >> {
> >> >> struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> >> >> struct ieee80211_sta *sta = txq->sta;
> >> >> - struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
> >> >
> >> > 'sta->drv_priv' is only a pointer, we don't really dereference the
> >> > data right here, so I think this is safe. More, compiler can optimize
> >> > this instruction that reorder it to the place just right before using.
> >> > So, it seems like a false alarm.
> >> >
> >> >> + struct rtw89_sta *rtwsta;
> >> >>
> >> >> - if (!sta || rtwsta->max_agg_wait <= 0)
> >> >> + if (!sta)
> >> >> + return false;
> >> >> + rtwsta = (struct rtw89_sta *)sta->drv_priv;
> >> >> + if (!rtwsta)
> >> >> + return false;
> >> >> + if (rtwsta->max_agg_wait <= 0)
> >> >> return false;
> >> >>
> >> >> if (rtwdev->stats.tx_tfc_lv <= RTW89_TFC_MID)
> >> >
> >> > I check the size of object files before/after this patch, and
> >> > the original one is smaller.
> >> >
> >> > text data bss dec hex filename
> >> > 16781 3392 1 20174 4ece core-0.o // original
> >> > 16819 3392 1 20212 4ef4 core-1.o // after this patch
> >> >
> >> > Do you think it is worth to apply this patch?
> >>
> >> I think that we should apply the patch. Even though the compiler _may_
> >> reorder the code, it might choose not to do that.
> >
> > Understand.
> >
> > I have another way to fix this coverity warning, like:
> >
> > @@ -1617,7 +1617,7 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> > {
> > struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> > struct ieee80211_sta *sta = txq->sta;
> > - struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
> > + struct rtw89_sta *rtwsta = sta ? (struct rtw89_sta *)sta->drv_priv : NULL;
> >
> > if (!sta || rtwsta->max_agg_wait <= 0)
> > return false;
> >
> > Is this acceptable?
> > It has a little redundant checking of 'sta', but the code looks clean.
>
> I feel that Colin's fix is more readable, but this is just matter of
> taste. You can choose.
I would like my version.
There are three similar warnings reported by smatch, so I will fix them by
myself. Please drop this patch.
But, still thank Colin to point out this issue.
--
Ping-Ke
Powered by blists - more mailing lists