Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9724544ybi; Wed, 24 Jul 2019 08:54:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqyF0LnwD0gJoImfeBMK6JmKRkC60FtTQ1q1VNZkNdOcCucofQXikPU7A1qFFP9PUuBWhCwc X-Received: by 2002:aa7:84d4:: with SMTP id x20mr11887206pfn.60.1563983678831; Wed, 24 Jul 2019 08:54:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563983678; cv=none; d=google.com; s=arc-20160816; b=E8PbwmFbje8/e6Rw6yQVlkxQyDRBTKj8G9iFMDxGy0ZNGlx8FaO5iXlQWOMh5sNbIU wJq2NDEK5VyyHQGmEAGh1dABnODfLsVztLLeJOq6e6nIcYafd6o60TLviihP2dKoushW 7YANPzsga6ulWxt8Ei8ofYJxelrwnKdX2VvT/0QdQfxiUXkuND8oSrkCSuRhqfXm6+Bz tFTZS3SE7691+3FbIgUgav3RJOvKKzhLmSinz2uF7NNfuuiGFQCux42TTYTfYS2TXrcN zrPaom/2Jfyotm7C5/Ym9HwvXvwysbmIPcqCIk7GfSXjFr7fSFFeqAC8K5bJq3GU0wwT jdkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=St0OD81vvxUjVHgZdUhOHp3xMGk7dggtbpwmHrGdlCs=; b=TXyKfRl642hPtInEl+4iO9gx3J8GgKSO8+/aun+/FuKKw2Fg7/bw6LqsGCd6y1ALaU /jbKoid3gOXiK4caeG6Guc5Cb4fNghJA7O+rYhehtm0/eu4LcjGTGSbZep9w1HAa1dxK akDsDOyi1Ag8sETWnhCiyRV7J8VEcauIoKjOYJL2aeGaYtfVtRHKToEvVAxfqcTd5Lft nXYg8AMrNePZKP7jdoT+ALhibdnrfH95bE69PNtEcgX1lXaOZgcN+FEnlbYTa7bmWzGz BB+KJuvNpybbnctjztjT4zljCNfmzyY2R0DBC3vKIRmciJnV9n3Ng4C0a24wSDyGMxSU QTsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=IfAfUuZN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f9si18814455pgc.510.2019.07.24.08.54.23; Wed, 24 Jul 2019 08:54:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=IfAfUuZN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728280AbfGXNDx (ORCPT + 99 others); Wed, 24 Jul 2019 09:03:53 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:34152 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726767AbfGXNDx (ORCPT ); Wed, 24 Jul 2019 09:03:53 -0400 Received: by mail-ot1-f68.google.com with SMTP id n5so47794845otk.1 for ; Wed, 24 Jul 2019 06:03:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:reply-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=St0OD81vvxUjVHgZdUhOHp3xMGk7dggtbpwmHrGdlCs=; b=IfAfUuZNwlAO7G27XDwU/70KmfgndhtBPb/CVvFerZOY1UsTrBAZaBsxQUu4Uq2rWV VM6BynX+WW5IUD54TP9OSGt86xAG7c+3wb7rIFQ8aMuksZhdN/giH03bex2NMXVAALdp 9bWMi6AiogYkRVi+2jUaIaILcA7nMoVXOKc4nT4Q/b6i2lbeilJGuvDLqqvqo/Obc3sw TvHtU3ZcgzNNH9ZhDf/9mNdOtrMC8djomF0r5uL9l0hHt8F6VLq2cTH413aZApemW5Iv 1PLpjtob4WbpnpTR1RxCy69DKvcWcdwmu/0R+RriQz61AdIpwonqdGL2neGLwbF5ToFj XvVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :reply-to:references:mime-version:content-disposition:in-reply-to :user-agent; bh=St0OD81vvxUjVHgZdUhOHp3xMGk7dggtbpwmHrGdlCs=; b=szd44/+DnLmZxmxiu+Bu/nehuNRksFeZnwt+tTFj2s2IQrXtmKIXzi6riouv9maACJ zr9tJtd5zpvUF4hM/U3DmwSlifoLg4tYjvsBsg/ZHvua/4KLDlATIrf+VjJDxP5qRFOS BEkjAx2LXaP601RFH5+v6n6bPUNjPn9uPa0h17e853XyNdVOTfheZ/1FcIrIem1MjQOU OTj7VuwJevXyu80zLSZfKVaUC0d64ztPOKPYLKpOFjVfS4pcR5hmZnK0HQ8ZsaG2l9xd QdPZLPuuoKjlnEhJFpsIxvXk5MYvEUAJn3g/I1IgYzOqZrFOW1AN73QCYlyzPNfhDwCt hzMQ== X-Gm-Message-State: APjAAAU6nOPCByCvSsayCiBmXYYgAkTAtiqb/mcMRfpc4kaWFlfWXF2A cKuO+z/oNZ99+3jNypHTFg== X-Received: by 2002:a9d:4703:: with SMTP id a3mr33765462otf.183.1563973432330; Wed, 24 Jul 2019 06:03:52 -0700 (PDT) Received: from serve.minyard.net (serve.minyard.net. [2001:470:b8f6:1b::1]) by smtp.gmail.com with ESMTPSA id u139sm16367244oie.55.2019.07.24.06.03.51 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 24 Jul 2019 06:03:51 -0700 (PDT) Received: from minyard.net (unknown [IPv6:2001:470:b8f6:1b:c4e8:4e9:949c:2f11]) by serve.minyard.net (Postfix) with ESMTPSA id 08AF01800D1; Wed, 24 Jul 2019 13:03:51 +0000 (UTC) Date: Wed, 24 Jul 2019 08:03:49 -0500 From: Corey Minyard To: Jia-Ju Bai Cc: arnd@arndb.de, gregkh@linuxfoundation.org, openipmi-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH] char: ipmi: Fix possible pointer dereferences in msg_done_handler() Message-ID: <20190724130349.GI3066@minyard.net> Reply-To: minyard@acm.org References: <20190724102528.2165-1-baijiaju1990@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190724102528.2165-1-baijiaju1990@gmail.com> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 24, 2019 at 06:25:28PM +0800, Jia-Ju Bai wrote: > In msg_done_handler(), there is an if statement on line 778 to check > whether msg is NULL: > if (msg) > > When msg is NULL, it is used on line 845: > if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) > and line 869: > if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) You cannot get into those states without msg being set, so there is no need to check for that msg is NULL there. If you look at those states elsewhere, you can see that curr_msg is set every time you go into those states. -corey > > Thus, possible null-pointer dereferences may occur. > > To fix these bugs, msg is checked before being used. > > These bugs are found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai > --- > drivers/char/ipmi/ipmi_ssif.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c > index 305fa5054274..2e40a98d9939 100644 > --- a/drivers/char/ipmi/ipmi_ssif.c > +++ b/drivers/char/ipmi/ipmi_ssif.c > @@ -842,6 +842,8 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, > break; > > case SSIF_GETTING_EVENTS: > + if (!msg) > + break; > if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { > /* Error getting event, probably done. */ > msg->done(msg); > @@ -866,6 +868,8 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, > break; > > case SSIF_GETTING_MESSAGES: > + if (!msg) > + break; > if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { > /* Error getting event, probably done. */ > msg->done(msg); > -- > 2.17.0 >