Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3534631pxb; Mon, 24 Jan 2022 11:37:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJzAEDS27QesQkERXhTYbXldSjGXEN9FJoIMVHr/o7brSYYkZSpabo+MEA59NPpgM0ndKg77 X-Received: by 2002:a17:903:120a:b0:149:8dd5:f0e1 with SMTP id l10-20020a170903120a00b001498dd5f0e1mr15548617plh.71.1643053048239; Mon, 24 Jan 2022 11:37:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053048; cv=none; d=google.com; s=arc-20160816; b=ywRrosALh/rOlDrupE8PngKerHlB+IWK3vGX7Zk/WP2tXhRKlUVZMjYbDfGwnRBUPE V7o8Flk6oE87nRoB6itv10d87RqCaQ9IhLiUFfGbKyeuAJjkH62osYNN704atlT4N0LB ENoRwehi7Q/up5GwyqVGauYOUlYDKJiEtQdQDsTDio2qSVxiAwyJ/zEZsLVd9LARyHiV VH9QW0ArURqaayhBsllz6qQg8qduFoh44Kapk9CvpYRxZShk3h+HQRYCYAgGsatQPKO/ 20NSi5uMl3aq+DrByR9iTA+4FprIn3vOUbs70FgNMrMBVCaGIasgF/5p3ZHWdXzyS0b1 Xyjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=ZI8YuwYv90KYmYShElkaKD7+O4xtWqLO7AtdD86iqPo=; b=qfz/G+WXb+nrF9vRj8Oxph7jslt26yrV7BSYk11ib/RYogoUlRajzVa7umbtTyy2uS +3RrdZepo+O7L/v13sOcTsUpbY/SuNuGnHdcSVjWY9Wpu/pl7Dtcak6YHn6ZR5keulsY ICLz1I8ZEvwr+Mvmd2XeYM2br0kVC5hbGB1fWWL44gUx/8dSM6YC6momYuxX4n0u1W3E SpK+uyT3/0Tmp3exmY5NpGes+KXBzuMjeH3isqf0S6z4dNdqGfaad8PKNa1zT31qPajE n6Y1Z2jQ9IPTi255ysDknwY4YP2tpUIlz8RiUtTz8sztxFo/m8SfmmJsCcP1Gs9knI/8 sINg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=JEXHUEG0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x6si668374pgi.236.2022.01.24.11.37.15; Mon, 24 Jan 2022 11:37:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=JEXHUEG0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243928AbiAXQvI (ORCPT + 99 others); Mon, 24 Jan 2022 11:51:08 -0500 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:35564 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243924AbiAXQvG (ORCPT ); Mon, 24 Jan 2022 11:51:06 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 4JjGG20Mc1z9w2xf for ; Mon, 24 Jan 2022 16:51:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVyStysfDiR3 for ; Mon, 24 Jan 2022 10:51:05 -0600 (CST) Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 4JjGG15PgRz9w2xh for ; Mon, 24 Jan 2022 10:51:05 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p7.oit.umn.edu 4JjGG15PgRz9w2xh DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p7.oit.umn.edu 4JjGG15PgRz9w2xh Received: by mail-pj1-f69.google.com with SMTP id j9-20020a17090a7e8900b001b58e473d48so2476720pjl.5 for ; Mon, 24 Jan 2022 08:51:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZI8YuwYv90KYmYShElkaKD7+O4xtWqLO7AtdD86iqPo=; b=JEXHUEG00k/tjVrRYZZDZrFrAnIKx2tg0PD8vTiBpWYYydZmjrK/VtY7uFj1SulSqC QqTK092VcTHAPUDv/EN1l7T+R/TdpQydJLOKAArS4tsLRz9euhhbW7Bpev2gGRlBnS9J WtlZ2iDbxbkJOXJ/r0qeySuFCnIZ2LZS8C3/ESlF5T/JajCy1YdUQFyRRr7oWyiO24kl wkLScmA9bsVXZpdjdrnvtQuYUlBErJmIcik2+FPHYjQmF1GpewD6XzkzsabgM5oJUi1Z hJl9782YyXcGqLiC+8Zp12n2uSGyzgWCSpm7zbqpUIfKZ5Ue+200WiJaZOqZpuT+W8ox iFlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZI8YuwYv90KYmYShElkaKD7+O4xtWqLO7AtdD86iqPo=; b=Rah1djrR3zpDOKyb2y+fUjstDXggZ0O0MPoU90JFeDPNSNqe6iV4QjEO9UyCKIaLId LwvrELCnIvc92PNRmWcNoCl0s/NPU+2FvDFeSUdbHDtHHpVqjM+inmzQYJhvZ+k73KmL 8Gx363HAii9aLbwp7HCwh6TnIRbDtKPwQTErxhTtN5FoX2S1PGcogfeAyAD2ao4sIC9K 8j5xYe/fbTi2LD0VAjEhTFHQRNI56KjX+DQlHA4/MtMSqlBawW4CApRiMVWL35xJygK2 Z/nBIuelH+EUQRzRT5wEMDCkOX0I8y4RUXChKfM4RAvnrL8GoPM0WkXXvwbokOHJfGFa /1eQ== X-Gm-Message-State: AOAM5311NKhMSG01EgJJ/CypccZlMQrMrFG9OBczPpRiY9wIENDntHbw Deytluik0gmejEM7FdZ2YrQG6n5IFXhDmm/dApVLgnggcPTqVgl88r310rMrzq8lIouDkxIbAOz edZrsKJbpfdUL3bhXSeUPNNx7Xucn X-Received: by 2002:a17:902:7e82:b0:149:9714:699e with SMTP id z2-20020a1709027e8200b001499714699emr15301130pla.66.1643043064972; Mon, 24 Jan 2022 08:51:04 -0800 (PST) X-Received: by 2002:a17:902:7e82:b0:149:9714:699e with SMTP id z2-20020a1709027e8200b001499714699emr15301107pla.66.1643043064769; Mon, 24 Jan 2022 08:51:04 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id b12sm17205153pfv.148.2022.01.24.08.51.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 08:51:04 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Arend van Spriel , Franky Lin , Hante Meuleman , Chi-hsien Lin , Wright Feng , Chung-hsien Hsu , Kalle Valo , "David S. Miller" , Jakub Kicinski , Len Baker , "Gustavo A. R. Silva" , Shawn Guo , Hans deGoede , Matthias Brugger , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] brcmfmac: Fix a NULL pointer dereference in brcmf_of_probe() Date: Tue, 25 Jan 2022 00:50:46 +0800 Message-Id: <20220124165048.54677-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In brcmf_of_probe(), the return value of devm_kzalloc() is assigned to board_type and there is a dereference of it in strcpy() right after that. devm_kzalloc() could return NULL on failure of allocation, which could lead to NULL pointer dereference. Fix this bug by adding a NULL check of board_type. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c index 513c7e6421b2..535e8ddeab8d 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c @@ -80,6 +80,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, /* get rid of '/' in the compatible string to be able to find the FW */ len = strlen(tmp) + 1; board_type = devm_kzalloc(dev, len, GFP_KERNEL); + if (!board_type) + return; strscpy(board_type, tmp, len); for (i = 0; i < board_type[i]; i++) { if (board_type[i] == '/') -- 2.25.1