| Message ID | 20220124165048.54677-1-zhou1615@umn.edu |
|---|---|
| State | New |
| Headers | show |
| Series | brcmfmac: Fix a NULL pointer dereference in brcmf_of_probe() | expand |
On 1/24/2022 5:50 PM, 'Zhou Qingyang' via BRCM80211-DEV-LIST,PDL wrote: > In brcmf_of_probe(), the return value of devm_kzalloc() is assigned to > board_type and there is a dereference of it in strcpy() right after > that. devm_kzalloc() could return NULL on failure of allocation, which > could lead to NULL pointer dereference. > > Fix this bug by adding a NULL check of board_type. > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code Thanks for this suggestion. However, this has been addressed already by this patch [1]. Regards, Arend [1] https://patchwork.kernel.org/project/linux-wireless/patch/20220117142919.207370-8-marcan@marcan.st/
On Tue, Jan 25, 2022 at 12:50:46AM +0800, Zhou Qingyang wrote: > In brcmf_of_probe(), the return value of devm_kzalloc() is assigned to > board_type and there is a dereference of it in strcpy() right after > that. devm_kzalloc() could return NULL on failure of allocation, which > could lead to NULL pointer dereference. > > Fix this bug by adding a NULL check of board_type. > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> > --- > The analysis employs differential checking to identify inconsistent > security operations (e.g., checks or kfrees) between two code paths > and confirms that the inconsistent operations are not recovered in the > current function or the callers, so they constitute bugs. > > Note that, as a bug found by static analysis, it can be a false > positive or hard to trigger. Multiple researchers have cross-reviewed > the bug. > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > index 513c7e6421b2..535e8ddeab8d 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > @@ -80,6 +80,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > /* get rid of '/' in the compatible string to be able to find the FW */ > len = strlen(tmp) + 1; > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > + if (!board_type) > + return; > strscpy(board_type, tmp, len); > for (i = 0; i < board_type[i]; i++) { > if (board_type[i] == '/') > -- > 2.25.1 > As stated before, umn.edu is still not allowed to contribute to the Linux kernel. Please work with your administration to resolve this issue.
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c index 513c7e6421b2..535e8ddeab8d 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c @@ -80,6 +80,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, /* get rid of '/' in the compatible string to be able to find the FW */ len = strlen(tmp) + 1; board_type = devm_kzalloc(dev, len, GFP_KERNEL); + if (!board_type) + return; strscpy(board_type, tmp, len); for (i = 0; i < board_type[i]; i++) { if (board_type[i] == '/')
In brcmf_of_probe(), the return value of devm_kzalloc() is assigned to board_type and there is a dereference of it in strcpy() right after that. devm_kzalloc() could return NULL on failure of allocation, which could lead to NULL pointer dereference. Fix this bug by adding a NULL check of board_type. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 ++ 1 file changed, 2 insertions(+)