| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a29a8153-2a4f-1876-ec48-47e08db00a98@quicinc.com>
Date: Wed, 1 Dec 2021 09:22:36 -0800
From: Jeff Johnson <quic_jjohnson@...cinc.com>
To: Zhou Qingyang <zhou1615@....edu>
CC: <kjlu@....edu>, Kalle Valo <kvalo@...eaurora.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Manikanta Pubbisetty <mpubbise@...eaurora.org>,
Shashidhar Lakkavalli <slakkavalli@...to.com>,
Govindaraj Saminathan <gsamin@...eaurora.org>,
Vasanthakumar Thiagarajan <vthiagar@...eaurora.org>,
Pradeep Kumar Chitrapu <pradeepc@...eaurora.org>,
<ath11k@...ts.infradead.org>, <linux-wireless@...r.kernel.org>,
<netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ath11k: Fix a NULL pointer dereference in
ath11k_mac_op_hw_scan()
On 11/30/2021 12:43 AM, Zhou Qingyang wrote:
> In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly
> used in memcpy(), which may lead to a NULL pointer dereference on
> failure of kzalloc().
>
> Fix this bug by adding a check of arg.extraie.ptr.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_ATH11K=m show no new warnings, and our static
> analyzer no longer warns about this code.
>
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> ---
> drivers/net/wireless/ath/ath11k/mac.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
> index 1cc55602787b..095f1f9b7611 100644
> --- a/drivers/net/wireless/ath/ath11k/mac.c
> +++ b/drivers/net/wireless/ath/ath11k/mac.c
> @@ -3237,8 +3237,13 @@ static int ath11k_mac_op_hw_scan(struct ieee80211_hw *hw,
> arg.scan_id = ATH11K_SCAN_ID;
>
> if (req->ie_len) {
> - arg.extraie.len = req->ie_len;
> arg.extraie.ptr = kzalloc(req->ie_len, GFP_KERNEL);
Your patch looks good, but since you are touching this code IMO this
should be changed to kmemdup() and we should remove the memcpy() below.
> + if (!arg.extraie.ptr) {
> + ret = -ENOMEM;
> + goto exit;
> + }
> +
> + arg.extraie.len = req->ie_len;
> memcpy(arg.extraie.ptr, req->ie, req->ie_len);
> }
>
>
Powered by blists - more mailing lists