| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Nov 2021 16:14:37 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Pkshih <pkshih@...ltek.com>
Cc: Colin King <colin.king@...onical.com>,
Kalle Valo <kvalo@...eaurora.org>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null
pointer sta
On Mon, Oct 18, 2021 at 03:35:28AM +0000, Pkshih wrote:
>
> > -----Original Message-----
> > From: Colin King <colin.king@...onical.com>
> > Sent: Friday, October 15, 2021 11:46 PM
> > To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> > <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> > netdev@...r.kernel.org
> > Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> > Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> >
> > From: Colin Ian King <colin.king@...onical.com>
> >
> > The pointer rtwsta is dereferencing pointer sta before sta is
> > being null checked, so there is a potential null pointer deference
> > issue that may occur. Fix this by only assigning rtwsta after sta
> > has been null checked. Add in a null pointer check on rtwsta before
> > dereferencing it too.
> >
> > Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> > Addresses-Coverity: ("Dereference before null check")
> > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > ---
> > drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
> > 1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> > b/drivers/net/wireless/realtek/rtw89/core.c
> > index 06fb6e5b1b37..26f52a25f545 100644
> > --- a/drivers/net/wireless/realtek/rtw89/core.c
> > +++ b/drivers/net/wireless/realtek/rtw89/core.c
> > @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> > {
> > struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> > struct ieee80211_sta *sta = txq->sta;
> > - struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
>
> 'sta->drv_priv' is only a pointer, we don't really dereference the
> data right here, so I think this is safe. More, compiler can optimize
> this instruction that reorder it to the place just right before using.
> So, it seems like a false alarm.
The warning is about "sta" not "sta->priv". It's not a false positive.
I have heard discussions about compilers trying to work around these
bugs by re-ordering the code. Is that an option in GCC? It's not
something we should rely on, but I'm just curious if it exists in
released versions.
regards,
dan carpenter
Powered by blists - more mailing lists