Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9523629ybi; Wed, 24 Jul 2019 05:39:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqytW4v/4hLq1x2U5y4JSpN4Kyj3uolN9+vl9z0X49ZKcliUIanAPG0EkvP8zaYIkQiftj74 X-Received: by 2002:a63:204b:: with SMTP id r11mr41531676pgm.121.1563971993020; Wed, 24 Jul 2019 05:39:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563971993; cv=none; d=google.com; s=arc-20160816; b=1EDxhBwv8C8E0dnwF3ocECOm+WejLgD9j7+EMAmYOuXcTGh/IxdrzYUCUM7BH0eay/ YoZZtyCYwSlse2SbPQjYfbBJPLyeYHZv/Rucc3pIpbC1qsT0t8zQnd6bHJbYX8Wva3X0 FNWaLmmth0aQdbG1BCQLt+yJoZiQ6hqn1tx30qtfBkU3i48H4cSr4CTbdIUT23OHYsYt nLB6SF+dZ4a0g4qOnpQg6ZJs8GtuBSC2gCvdyaFCqjqYzh2L17QC5ugOgTY2JmmuVms+ rQpzsF655c0upQ+ffaIQhBGACr10LAcybBqq6PYdOblfoAwjebj7XW5ZM4RBWO6AkVo/ un8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=1/gt9BhlisdGUb5bIZc32HBL4A6Aaa9ZnK24W35108A=; b=HwqMTQlnP/ssQ5bcBi/Wb9NflzfZUwmIE/iTRgd2Cp7+4gO+nax8haP8di4XpIpQ0b r6G3rTN5YRn8PAv11Lrds4qoJKkw5VZyIVTRUdrfvdqBwKc+g5+sb+Wj198ggBDMIT3f cMjNmiaga6i79EclfhKK4/xJssK/c1fmgPPn1WbCCAx5NQfuaTZSUXDylhp1Mg6uwkQd N65T9I2EbzhR+vm2QcL8eUfGuZC9arHLWHi+MftJsWtM+NQkuPHWGI/CWRJwW/rqThmf gPCm8paIZ79GRDjE8By43JFAhTyxNxPuzW50UAt1Uxtq2gM3ch3sFlc+YbrsToGmrcuP tklQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uA+OZd8O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l15si12999123pjq.104.2019.07.24.05.39.38; Wed, 24 Jul 2019 05:39:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=uA+OZd8O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726847AbfGXKZf (ORCPT + 99 others); Wed, 24 Jul 2019 06:25:35 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:37028 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726690AbfGXKZf (ORCPT ); Wed, 24 Jul 2019 06:25:35 -0400 Received: by mail-pl1-f196.google.com with SMTP id b3so21844781plr.4 for ; Wed, 24 Jul 2019 03:25:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=1/gt9BhlisdGUb5bIZc32HBL4A6Aaa9ZnK24W35108A=; b=uA+OZd8OySVziMrPHNJlp60UvU/H1XoCXeIteODI4UVYJH3MAjLo+IOHEXdFNY8h5i pr0R/dkOYJgka3vNCqkhoIypXKnICTZllMqAyfGbTtjC/G5OMFRpbveFWnvnN39eoHNj X3ZDqCKdtyj8DH/qAyfJ4DpbGmjgw55WrNLNbF9TjeQkrUyH+grXqZTkxWWG0Q3KWy4P /jLf1aij38VDEaks4ev0UTdljmO+l/gJHBD226q0t2sILIyYyauDQBDaiuabz5bWrjxx A+WwOngLVnh9zt90tY/tUwvlLiF9DzGsVjU01Eb0biJYyC8tRyOi7xRECotdniKsT8AA 5hzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=1/gt9BhlisdGUb5bIZc32HBL4A6Aaa9ZnK24W35108A=; b=cBqqV1T7ZUjzUWGgoWc0oEWTdITgcPGRoubTMZXCPQUTta/sax09XenV58O9Ge8f/b orIr3GWTe5jnWwHmKxomz265sFFC+2CDCGgu3xGZNbDl4KDqAdCbw7yH7Eg/Ic8KH5TD wyrbXNZYCXkqCYSrTmc9wCnuaDmeMROG1ARmD9HJzr+ozDbfiRFDHV86+uYhyVLT4f+m EHpKPLrkL83gCUivow9WQCwb3mUvce03ykOj2HJpdnYXy41r+JjOkbbLNfS8267Yyuvb fgFKAEiAClZ5dWSyOXXH4hHebwSKIJACKqNsEedwPWHcS+EX0s4T3Cl/sIqcwCQgGMJi M2tQ== X-Gm-Message-State: APjAAAUW9SybVw4kEyULurpoJH5clQoOPkqvkYx0vsRG2qqx8mVWWPJO opyTudyro/uaX4XLXQi/OMc= X-Received: by 2002:a17:902:44f:: with SMTP id 73mr86081038ple.192.1563963934771; Wed, 24 Jul 2019 03:25:34 -0700 (PDT) Received: from oslab.tsinghua.edu.cn ([2402:f000:4:72:808::3ca]) by smtp.gmail.com with ESMTPSA id f7sm45390884pfd.43.2019.07.24.03.25.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2019 03:25:34 -0700 (PDT) From: Jia-Ju Bai To: minyard@acm.org, arnd@arndb.de, gregkh@linuxfoundation.org Cc: openipmi-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] char: ipmi: Fix possible pointer dereferences in msg_done_handler() Date: Wed, 24 Jul 2019 18:25:28 +0800 Message-Id: <20190724102528.2165-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In msg_done_handler(), there is an if statement on line 778 to check whether msg is NULL: if (msg) When msg is NULL, it is used on line 845: if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) and line 869: if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) Thus, possible null-pointer dereferences may occur. To fix these bugs, msg is checked before being used. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai --- drivers/char/ipmi/ipmi_ssif.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c index 305fa5054274..2e40a98d9939 100644 --- a/drivers/char/ipmi/ipmi_ssif.c +++ b/drivers/char/ipmi/ipmi_ssif.c @@ -842,6 +842,8 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, break; case SSIF_GETTING_EVENTS: + if (!msg) + break; if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { /* Error getting event, probably done. */ msg->done(msg); @@ -866,6 +868,8 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, break; case SSIF_GETTING_MESSAGES: + if (!msg) + break; if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { /* Error getting event, probably done. */ msg->done(msg); -- 2.17.0