| Message ID | 20240229093756.129324-1-rand.sec96@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-86447-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2097:b0:108:e6aa:91d0 with SMTP id
gs23csp278402dyb;
Thu, 29 Feb 2024 01:38:46 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCVb4cs0S1Au/4c6RHXJzClbtt0Diakh0SmB1AOCBVWaAYmuQayGAw4Rg1a++WYE6IVSz4tW6olA+mFY2m91AbB1zzpDaQ==
X-Google-Smtp-Source:
AGHT+IFXiOtxH8qepHWToaqaiitVCHOt3U3RnkZVkHoFrFaBIPoDLrWfdOwtsYoVupq2h/iKRNVh
X-Received: by 2002:a05:6402:17cc:b0:566:1794:7b2 with SMTP id
s12-20020a05640217cc00b00566179407b2mr936561edy.13.1709199526309;
Thu, 29 Feb 2024 01:38:46 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709199526; cv=pass;
d=google.com; s=arc-20160816;
b=ifBBTV3Agbm6DaLM1Wp1ayyJ5iDVySQwmvrKppFX2PLibEYzsf8fmb6UjqFyddvAsK
ShisKKc4gsIw665DjZCZORE1E/j3CnwGhNCRK0/fK5ZZqqLqOzsvdv2N/z1nUaHz4G6C
cPORIy8GUbF8llny17WfzW3gq/t07ZvNb6UtlhS4Ea5HNshE54eBOpJCkne8cHbK7Z7G
/iU3bHPNZlfq78PoQu1aHohoFFK18T/AAFdEs0sap5m7twu0DrwTV55FCYIVnXCoiqR+
pvAUzTEJdjTDvdDVTpyoESjKCzCSti7/5KmwJAJoCx2xIxE6jJLMcgqkjvpxjY4HTLER
XCqA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from:dkim-signature;
bh=X+z65Ols8Ev/rVV6Hj6ehUx1Ocn6O7rfEJ/QlCaZe84=;
fh=Ip4VoIx+me3k6OEAZFAe3t1qSehkWtlSSvQzve1iuec=;
b=v5Zy/TiRxt/jZAryemsZXTCx5ssYRKNgN50116DKDFXLcdgi0854awtz6y5CUD+EB8
l3kUY78wRDGbiLDzE/NFhfX/UmIBdjZKXwxwvN16CCpAnNtGu+eOvS1zsS80k1+wdQob
+7e86tlNzQ0jaD3nsPGvex+JQ7n+rnGd6KL6SnuV1ze21vyo7a+yeCMueurhuxiRgJjK
/AoMc3cKaxu4mXgQOYCF3ptxSxSaBjiqCN0ipyqV6bg8D9/KDPML3bM9j5AVJtJRanv+
7CyPQV4L4wY4eja5oQ1EICvytiAhk8bYD0F64pWQWoKC6FNyc2ZbGRunAmWcu4m3o1Zz
Me+A==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=GXaizONx;
arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com
dmarc=pass fromdomain=gmail.com);
spf=pass (google.com: domain of
linux-kernel+bounces-86447-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-86447-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org.
[2604:1380:4601:e00::3])
by mx.google.com with ESMTPS id
m20-20020a056402511400b00563948cbff6si426218edd.348.2024.02.29.01.38.46
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 29 Feb 2024 01:38:46 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-86447-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=GXaizONx;
arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com
dmarc=pass fromdomain=gmail.com);
spf=pass (google.com: domain of
linux-kernel+bounces-86447-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:4601:e00::3 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-86447-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by am.mirrors.kernel.org (Postfix) with ESMTPS id E477B1F20C9A
for <ouuuleilei@gmail.com>; Thu, 29 Feb 2024 09:38:45 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 82F006087F;
Thu, 29 Feb 2024 09:38:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b="GXaizONx"
Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com
[209.85.167.47])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id F09B860864;
Thu, 29 Feb 2024 09:38:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=209.85.167.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1709199507; cv=none;
b=Ux24+e9yUt8rOX2o0mQSY/zKwhNczbXtirKZaqLEDUq8moeH4RfOO65E4WxQYyasQOsm6g+r+l+jOzuYpFNiHQwHi3iEPU8/5Pfg+5hGxPEaZHNgnzq05f2vRWMWHn6tRDM+6to5P47S/9JWoPHYeBFggon04W9h506OlWlZ0ng=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1709199507; c=relaxed/simple;
bh=geByKowRyOVCMK36p263NAG5QqZ0xPskpiZgukdnWdM=;
h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
b=sZSxI203t+SUUAS4Wop9RHiCilljG/WumaCbN3UICK/Yc0MlStX0S5myEgwqCLZLpC+WpUNpcPJSwvcwCPTHoRS1snxkbk0EZhRMkOsGJKY4irsQVOBtyi99b841UHCqtm28OqsEXII38yluezM7KTW1NCR2mW0M/pVEHiTEXHU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=gmail.com;
spf=pass smtp.mailfrom=gmail.com;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=GXaizONx; arc=none smtp.client-ip=209.85.167.47
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=gmail.com
Received: by mail-lf1-f47.google.com with SMTP id
2adb3069b0e04-513235b5975so825265e87.2;
Thu, 29 Feb 2024 01:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1709199503; x=1709804303;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=X+z65Ols8Ev/rVV6Hj6ehUx1Ocn6O7rfEJ/QlCaZe84=;
b=GXaizONxcH6OS6+KBSNHeaTIqkshx5JSb84/5NfWOkMgH0pWifr4YhRzZ2njrOMhI7
WWR+9vFvezUwdxHY/7HJJl3SlvbMLx2pFg5pEU9KtW0Lnzohc1pNadrQ7D15DSa2M410
QFDuHIN87jHAQKvu+JHF+hWxIifI1rKxp8xxg55kAFNUr8l1j1qdTKlcF46YjNiBFRO1
7dF0hKEPFNMCnAAEOiFq8cg8BPhEhbocTaqOVKUXfgPl289uht8l8TFYRxoqKrKWkElo
FA6AOV9mMqIUkiVhGNy1/idgZlx6i1uewFyiusR4a+pnN65kDyAXWQho0CqFG9SUO3Kw
Lq/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1709199503; x=1709804303;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=X+z65Ols8Ev/rVV6Hj6ehUx1Ocn6O7rfEJ/QlCaZe84=;
b=pjqPwmxSGFlPTgIiw6wqVAfy/K3FrB3aA6Pu3nDlrHKbXKG+BXtb3HNTcjno8Z6tIU
4JaVnt0KcLd2kj7GOrCvjzuIZjlKR0GHG/vWN8jErHKRGxrclg1VQYXVFieDMWzbImen
R6Cs9WNeQxIs3E/lyGKUsjHa0jMaUyVyJvHPvpvU57i+6RWU/vmjNiC08Bqolyxuyijo
99hx2I6B5r26/ZlIjGH4LS9krTyF9fiUFQdS2Knxrr669jSobMNq7YKgcNAdZbXNGOJM
oXXSXyReHshQ53XDQ5tJ3nYzgUi4RHk5GrywvTus57F/+d8XUjgUIAjZKVvxXU21ENL6
vHTA==
X-Forwarded-Encrypted: i=1;
AJvYcCWoFarDMTGjlpNo+ZAILnlYJOEhS9UizxgSMSMew9D8tjTZacrPPuCmhB8usXYnOHEWWIHhZiOoV7G2w9BP/fwnS4B5Qr46yzkoveq9NvujeUNEAXrXG7vvlOpauk/IRftNKfr6Grv8iBAEszI=
X-Gm-Message-State: AOJu0YwuTUC3v1G0PJ8b1Xbz9WsCZndraE13fIzeb8vyyBEPZxAGBhUO
PeQrF1G7M2gSDzQtdZY9B75zn9W27ZvzbjDUoOnTpy2YjFM8wCIYIUyAaLbr+h/gww==
X-Received: by 2002:ac2:52aa:0:b0:513:23da:9766 with SMTP id
r10-20020ac252aa000000b0051323da9766mr971087lfm.55.1709199502806;
Thu, 29 Feb 2024 01:38:22 -0800 (PST)
Received: from rand-ubuntu-development.dl.local (mail.confident.ru.
[85.114.29.218])
by smtp.gmail.com with ESMTPSA id
dw27-20020a0565122c9b00b0051304114e7asm189189lfb.6.2024.02.29.01.38.22
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 29 Feb 2024 01:38:22 -0800 (PST)
From: Rand Deeb <rand.sec96@gmail.com>
To: Michael Buesch <m@bues.ch>,
linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: deeb.rand@confident.ru,
lvc-project@linuxtesting.org,
voskresenski.stanislav@confident.ru,
Rand Deeb <rand.sec96@gmail.com>
Subject: [PATCH] ssb: Fix potential NULL pointer dereference in
ssb_device_uevent
Date: Thu, 29 Feb 2024 12:37:56 +0300
Message-Id: <20240229093756.129324-1-rand.sec96@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1792225602317667038
X-GMAIL-MSGID: 1792225602317667038
|
| Series |
ssb: Fix potential NULL pointer dereference in ssb_device_uevent
|
|
Commit Message
Rand Deeb
Feb. 29, 2024, 9:37 a.m. UTC
The ssb_device_uevent function first attempts to convert the 'dev' pointer
to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before
performing the NULL check, potentially leading to a NULL pointer
dereference if 'dev' is NULL.
To fix this issue, this patch moves the NULL check before dereferencing the
'dev' pointer, ensuring that the pointer is valid before attempting to use
it.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
---
drivers/ssb/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
Hi, On Thu, 29 Feb 2024 at 10:38, Rand Deeb <rand.sec96@gmail.com> wrote: > > The ssb_device_uevent function first attempts to convert the 'dev' pointer > to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before > performing the NULL check, potentially leading to a NULL pointer > dereference if 'dev' is NULL. > > To fix this issue, this patch moves the NULL check before dereferencing the > 'dev' pointer, ensuring that the pointer is valid before attempting to use > it. Might be worth pointing out that dev_to_ssb_dev() does dereference dev, in contrast to most (dev_)to_*_dev() helpers that just calculate a new pointer from an offset via container_of(), and thus are a-okay with NULL pointers (but I think this would be UB), or even explicitly return NULL if the passed dev is NULL. Though I wonder if dev can even be NULL at this point, or if the NULL check is actually bogus and could be dropped. AFAICT the caller of this function would be dev_uevent(), and it does it here: /* have the bus specific function add its stuff */ if (dev->bus && dev->bus->uevent) { retval = dev->bus->uevent(dev, env); which can only be possible if dev is non-NULL. I can't really tell if uevent_show() would also call this function, but even that one dereferences dev before calling uevent(). So from a first glance I would think dev is guaranteed to be non-NULL. > (snip) Best Regards, Jonas
On Thu, 29 Feb 2024 12:37:56 +0300 Rand Deeb <rand.sec96@gmail.com> wrote: > static int ssb_device_uevent(struct device *dev, struct kobj_uevent_env *env) > { > - struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); > + struct ssb_device *ssb_dev; > > if (!dev) > return -ENODEV; > > + ssb_dev = dev_to_ssb_dev(dev); > + > return add_uevent_var(env, > "MODALIAS=ssb:v%04Xid%04Xrev%02X", > ssb_dev->id.vendor, ssb_dev->id.coreid, Good catch. Acked-by: Michael Büsch <m@bues.ch>
diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c index 9e54bc7eec66..74f549557a01 100644 --- a/drivers/ssb/main.c +++ b/drivers/ssb/main.c @@ -340,11 +340,13 @@ static int ssb_bus_match(struct device *dev, struct device_driver *drv) static int ssb_device_uevent(struct device *dev, struct kobj_uevent_env *env) { - struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); + struct ssb_device *ssb_dev; if (!dev) return -ENODEV; + ssb_dev = dev_to_ssb_dev(dev); + return add_uevent_var(env, "MODALIAS=ssb:v%04Xid%04Xrev%02X", ssb_dev->id.vendor, ssb_dev->id.coreid,