Received: by 10.192.165.148 with SMTP id m20csp3910518imm; Mon, 30 Apr 2018 08:25:27 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpo+aIQvuq0EdJIfuw06Q6NIuEeVCaT25iC0uvQ9E0Yh3fbY3tBSKKlchN6k2fHNSllnkXX X-Received: by 2002:a17:902:bd8e:: with SMTP id q14-v6mr13103160pls.322.1525101927767; Mon, 30 Apr 2018 08:25:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525101927; cv=none; d=google.com; s=arc-20160816; b=jDATBMB4VquRRQuQDlC0uZcSUerUVU95nA/GjZJbE05KPPqdD2/qXKP8qJ1THTniIq CAFiKzZnd1a72GVcpXRA20gdfZ66/nEEXU/W/59He4Sbvaeeo+LRekxrywzCu2uBWUEp XVRgWcRxcctvcQm0R/2iUPD1kSbGZslAH6C9S/9UOQupKG7K5VEx+VFVZ5X5jVrqXhP5 ZhQ63RnCZedgZehEuikrwifg4HJJWw08/5ULLlxQ62R6wSCQH/AEHHSfm6Sf7Yg3JhXv t/MRh/rdX3hJTr4dqa6kHwNwd3Tn3VUWhoxDGrZ8pkSIOotMLdf9MrgpQd/k8Fb2VcEA /Weg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=5Yw+M8ykYWk/jKf3b/yTaEeQcsJTX6fKgq3rjH7lUoI=; b=w5hwyooeS4s3r4xFYUJ9TuC0KwE4YoAKJjbdCFG2XJG9SAju4dYJEvGeB9TedE65AN 87X1vrUuoK05fWiAg2ENGMob9jWL5otLQiq0wf8ihLxYAtTy/vwo+TXMC0LTpLDs2YO4 FypUnxX+d5ehvGEcuI7phBwPduSmZCW6byV3posP9XIoiztrj+nX3F9HtzK3I3kDUDod KyJPfjn3DgSZ5GHJ7NO8jeYdO3YKOcPtWRvycyxxPixyOV1mgViQ6BVM1A4ZB2cgVCEO P2Ps9sLopRhvU9fZ8ZRW0ysSoyeELJOAm0R9EVTQHCTaOEc8HL6qKW+kpYsFFoic5WT3 geFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=COxEOhL4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bi12-v6si3086292plb.546.2018.04.30.08.25.13; Mon, 30 Apr 2018 08:25:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=COxEOhL4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754478AbeD3PXs (ORCPT + 99 others); Mon, 30 Apr 2018 11:23:48 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:46938 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754243AbeD3PXq (ORCPT ); Mon, 30 Apr 2018 11:23:46 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w3UFL5pw118378; Mon, 30 Apr 2018 15:23:31 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=5Yw+M8ykYWk/jKf3b/yTaEeQcsJTX6fKgq3rjH7lUoI=; b=COxEOhL4LIUKaGMdY6XrlDrv3B2ksok48ZWIeXltRlo0qM26AeSDu606KBMIh+XAFsPj vHc0l8FpodP5lbqL5Za2WzVO3a5FFyPc8mlvIkyVyaczO/YssAq/8Q93azubw1UICaU9 MKILZ8zR/R27IftMgiS0Yh8be3nz6d6RB7TUFrFB1WmqP0DZ6z7hFi6C4a77rnt8oiMH LnsSt1OrJqS38nQ8EASOCPTm+o/9OTurwWmbqNhd1tEVhsrjhFkKZ9wvZ+hnWY0JEDmm OxNgaJJ19Q44LBqaOFVQEGPNIHON/hqCtbv/JuDNPjVI79UXSHvxoGMF9ksTl8PZWR9+ jg== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2hmhmfchu9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Apr 2018 15:23:31 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w3UFNUdE001758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Apr 2018 15:23:31 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w3UFNUEL002438; Mon, 30 Apr 2018 15:23:30 GMT Received: from mwanda (/197.254.35.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 30 Apr 2018 08:23:29 -0700 Date: Mon, 30 Apr 2018 18:23:21 +0300 From: Dan Carpenter To: Ajay Singh Cc: "Gustavo A. R. Silva" , devel@driverdev.osuosl.org, linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org, Ganesh Krishna , Greg Kroah-Hartman Subject: Re: [PATCH] staging: wilc1000: fix infinite loop and out-of-bounds access Message-ID: <20180430152321.7pq4ol2ed7tzsrl4@mwanda> References: <20180430125040.GA19050@embeddedor.com> <20180430195916.596a93eb@ajaysk-VirtualBox> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180430195916.596a93eb@ajaysk-VirtualBox> User-Agent: NeoMutt/20170609 (1.8.3) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8878 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=808 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804300147 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 30, 2018 at 07:59:16PM +0530, Ajay Singh wrote: > Reviewed-by: Ajay Singh > > On Mon, 30 Apr 2018 07:50:40 -0500 > "Gustavo A. R. Silva" wrote: > > > If i < slot_id is initially true then it will remain true. Also, > > as i is being decremented it will end up accessing memory out of > > bounds. > > > > Fix this by incrementing *i* instead of decrementing it. > > Nice catch! > Thanks for submitting the changes. > > > > > Addresses-Coverity-ID: 1468454 ("Infinite loop") > > Fixes: faa657641081 ("staging: wilc1000: refactor scan() to free > > kmalloc memory on failure cases") > > Signed-off-by: Gustavo A. R. Silva > > --- > > > > BTW... at first sight it seems to me that variables slot_id > > and i should be of type unsigned instead of signed. > > Yes, 'slot_id' & 'i' can be changed to unsigned int. > A lot of people think making things unsigned improves the code but I hate "unsigned int i"... I understand that in certain cases we do loop more than INT_MAX but those are a tiny tiny minority of loops. Simple types like "int" are more readable than complicated types like "unsigned int". Unsigned int just draws attention to itself and distracts people from things that might potentially matter. We have real life subtle loops like in xtea_encrypt() where we need to use unsigned types. And look at the function we're talking about here: drivers/staging/wilc1000/wilc_wfi_cfgoperations.c 577 static inline int 578 wilc_wfi_cfg_alloc_fill_ssid(struct cfg80211_scan_request *request, 579 struct hidden_network *ntwk) 580 { 581 int i; 582 int slot_id = 0; 583 584 ntwk->net_info = kcalloc(request->n_ssids, 585 sizeof(struct hidden_network), GFP_KERNEL); 586 if (!ntwk->net_info) 587 goto out; 588 589 ntwk->n_ssids = request->n_ssids; 590 591 for (i = 0; i < request->n_ssids; i++) { request->n_ssids is an int. It can't possibly be INT_MAX because the kcalloc() will fail. Ideally the static analysis tool should be able to tell you that if you seed it with the knowledge of how much memory it's possible to kmalloc(). So it's just laziness here is why the static checker complains, it should see there is no issue. Smatch fails here as well but I'll see if I can fix it. Anyway let's say it could be negative then 0 is greater than negative values so the loop would be a no-op. I've seen code where the user could set the loop bounds to s32min-4 but because it was "int i" instead of "unsigned int i" then it meant the loop was a no-op instead of being a security problem. In other words, unsigned can be less secure. I honestly have never seen a bug in the kernel where we intended to loop more than INT_MAX times, but there was a signedness bug preventing it. That's the only reason I can see to change the signedness. Am I missing something? 592 if (request->ssids[i].ssid_len > 0) { 593 struct hidden_net_info *info = &ntwk->net_info[slot_id]; 594 595 info->ssid = kmemdup(request->ssids[i].ssid, 596 request->ssids[i].ssid_len, 597 GFP_KERNEL); 598 if (!info->ssid) 599 goto out_free; 600 601 info->ssid_len = request->ssids[i].ssid_len; 602 slot_id++; 603 } else { 604 ntwk->n_ssids -= 1; 605 } 606 } 607 return 0; 608 609 out_free: 610 611 for (i = 0; i < slot_id ; i--) 612 kfree(ntwk->net_info[i].ssid); 613 614 kfree(ntwk->net_info); 615 out: 616 617 return -ENOMEM; 618 } regards, dan carpenter