lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c3de973999ea40cf967ffefe0ee56ed4@realtek.com>
Date:   Wed, 3 Nov 2021 00:36:17 +0000
From:   Pkshih <pkshih@...ltek.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>
CC:     Colin King <colin.king@...onical.com>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S . Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta


> -----Original Message-----
> From: Dan Carpenter <dan.carpenter@...cle.com>
> Sent: Tuesday, November 2, 2021 9:15 PM
> To: Pkshih <pkshih@...ltek.com>
> Cc: Colin King <colin.king@...onical.com>; Kalle Valo <kvalo@...eaurora.org>; David S . Miller
> <davem@...emloft.net>; Jakub Kicinski <kuba@...nel.org>; linux-wireless@...r.kernel.org;
> netdev@...r.kernel.org; kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> Subject: Re: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> 
> On Mon, Oct 18, 2021 at 03:35:28AM +0000, Pkshih wrote:
> >
> > > -----Original Message-----
> > > From: Colin King <colin.king@...onical.com>
> > > Sent: Friday, October 15, 2021 11:46 PM
> > > To: Kalle Valo <kvalo@...eaurora.org>; David S . Miller <davem@...emloft.net>; Jakub Kicinski
> > > <kuba@...nel.org>; Pkshih <pkshih@...ltek.com>; linux-wireless@...r.kernel.org;
> > > netdev@...r.kernel.org
> > > Cc: kernel-janitors@...r.kernel.org; linux-kernel@...r.kernel.org
> > > Subject: [PATCH][next] rtw89: Fix potential dereference of the null pointer sta
> > >
> > > From: Colin Ian King <colin.king@...onical.com>
> > >
> > > The pointer rtwsta is dereferencing pointer sta before sta is
> > > being null checked, so there is a potential null pointer deference
> > > issue that may occur. Fix this by only assigning rtwsta after sta
> > > has been null checked. Add in a null pointer check on rtwsta before
> > > dereferencing it too.
> > >
> > > Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> > > Addresses-Coverity: ("Dereference before null check")
> > > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > > ---
> > >  drivers/net/wireless/realtek/rtw89/core.c | 9 +++++++--
> > >  1 file changed, 7 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> > > b/drivers/net/wireless/realtek/rtw89/core.c
> > > index 06fb6e5b1b37..26f52a25f545 100644
> > > --- a/drivers/net/wireless/realtek/rtw89/core.c
> > > +++ b/drivers/net/wireless/realtek/rtw89/core.c
> > > @@ -1534,9 +1534,14 @@ static bool rtw89_core_txq_agg_wait(struct rtw89_dev *rtwdev,
> > >  {
> > >  	struct rtw89_txq *rtwtxq = (struct rtw89_txq *)txq->drv_priv;
> > >  	struct ieee80211_sta *sta = txq->sta;
> > > -	struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
> >
> > 'sta->drv_priv' is only a pointer, we don't really dereference the
> > data right here, so I think this is safe. More, compiler can optimize
> > this instruction that reorder it to the place just right before using.
> > So, it seems like a false alarm.
> 
> The warning is about "sta" not "sta->priv".  It's not a false positive.
> 
> I have heard discussions about compilers trying to work around these
> bugs by re-ordering the code.  Is that an option in GCC?  It's not
> something we should rely on, but I'm just curious if it exists in
> released versions.
> 

I say GCC does "reorder" the code, because the object codes of following
two codes are identical with default or -Os ccflags.
If I misuse the term, please correct me.

Code-1:
	struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;

	if (!sta)
		return false;

	if (rtwsta->max_agg_wait <= 0)
		return false;

Code-2:
	struct rtw89_sta *rtwsta;

	if (!sta)
		return false;

	rtwsta = (struct rtw89_sta *)sta->drv_priv;
	if (rtwsta->max_agg_wait <= 0)
		return false;


The code-1 is the original code Coverity and smatch warn use-before-check.
The code-2 can avoid this warning without doubt.

To be clear, I have sent a patch to fix this.

--
Ping-Ke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ