| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Nov 2021 00:36:17 +0000
From: Pkshih <pkshih@...ltek.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
CC: Colin King <colin.king@...onical.com>,
Kalle Valo <kvalo@...eaurora.org>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@...cle.com>
> Sent: Tuesday, November 2, 2021 9:15 PM
> To: Pkshih <pkshih@...ltek.com>
> Cc: Colin King <colin.king@...onical.com>; Kalle Valo <kvalo@...eaurora.org>; David S . Miller
> <davem@...emloft.net>; Jakub Kicinski <kuba@...nel.org>; linux-wireless@...r.kernel.org;
> netdev@...r.kernel.org; kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
>
> On Mon, Oct 18, 2021 at 03:35:28AM +0000, Pkshih wrote:
> >
> > > -----Original Message-----
> > > From: Colin King <colin.king@...onical.com>
> > > Sent: Friday, October 15, 2021 11:46 PM
> > > To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> > > <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> > > netdev@...r.kernel.org
> > > Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> > > Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> > >
> > > From: Colin Ian King <colin.king@...onical.com>
> > >
> > > The pointer rtwsta is dereferencing pointer sta before sta is
> > > being null checked, so there is a potential null pointer deference
> > > issue that may occur. Fix this by only assigning rtwsta after sta
> > > has been null checked. Add in a null pointer check on rtwsta before
> > > dereferencing it too.
> > >
> > > Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> > > Addresses-Coverity: ("Dereference before null check")
> > > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > > ---
> > > drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
> > > 1 file changed, 7 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> > > b/drivers/net/wireless/realtek/rtw89/core.c
> > > index 06fb6e5b1b37..26f52a25f545 100644
> > > --- a/drivers/net/wireless/realtek/rtw89/core.c
> > > +++ b/drivers/net/wireless/realtek/rtw89/core.c
> > > @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> > > {
> > > struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> > > struct ieee80211_sta *sta = txq->sta;
> > > - struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
> >
> > 'sta->drv_priv' is only a pointer, we don't really dereference the
> > data right here, so I think this is safe. More, compiler can optimize
> > this instruction that reorder it to the place just right before using.
> > So, it seems like a false alarm.
>
> The warning is about "sta" not "sta->priv". It's not a false positive.
>
> I have heard discussions about compilers trying to work around these
> bugs by re-ordering the code. Is that an option in GCC? It's not
> something we should rely on, but I'm just curious if it exists in
> released versions.
>
I say GCC does "reorder" the code, because the object codes of following
two codes are identical with default or -Os ccflags.
If I misuse the term, please correct me.
Code-1:
struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
if (!sta)
return false;
if (rtwsta->max_agg_wait <= 0)
return false;
Code-2:
struct rtw89_sta *rtwsta;
if (!sta)
return false;
rtwsta = (struct rtw89_sta *)sta->drv_priv;
if (rtwsta->max_agg_wait <= 0)
return false;
The code-1 is the original code Coverity and smatch warn use-before-check.
The code-2 can avoid this warning without doubt.
To be clear, I have sent a patch to fix this.
--
Ping-Ke
Powered by blists - more mailing lists