Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2001212pxb; Sat, 2 Apr 2022 11:16:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9LkufaWKX/bZHfH7T5egzgPOM2+WV67XyeakypW+Cgkti8O0WeyuqjgXitkTOf6TQXo2u X-Received: by 2002:a17:906:6841:b0:6cf:9c02:8965 with SMTP id a1-20020a170906684100b006cf9c028965mr4516532ejs.440.1648923412010; Sat, 02 Apr 2022 11:16:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648923412; cv=none; d=google.com; s=arc-20160816; b=OfnASZ74dtaJ/vFJf6acZoPbEMZg+cpNhkR1McY5qQ/4d6IGsD4Lk+ccKR/y3h3mdu nrD/vmF4qYpUTsiMV+3k81Kr2wbWuJW0khLX6/Hr0MeBWbPePQcfPXc8lbuZ9589RS7N M0Wo/+njZrpF0m6jqz3g4pPT+jVDPMYWZ1HwsRLt9EaGrNKwu7y59JPCcR0vpuYCzFLU R60ajdEJSjtfjjV4DtQFK+o9MLnZzsKiv2fCuuGDd6jl/XxJaqQzgybSvccqzYOfycMh Z3ttH8liuNO9PgG2n2BQz1HHht+2XTSo/wWT98oSMjBzO0NQXCSlKMsYD5kBEkHrQkq1 6GMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=HMk0UPPNv2VUH98HoX6P+qISAVeiRqv9HYnQJNKqaPQ=; b=qTVO9a3PEowI9e8W/83BH+f9zbiQIFOVHEOEpa3wSIScQm+uixAdmeydhv7aXjVIiI 3rr61fCNkr5txjyGCsLiUW/zwA9DQz58aiZpq/ZOLQLESRAqj4So8rgRx07AT7qldHw6 OZSysTAwlfgupK3Y+HhHtKMXV8OPWNFJoC05Dv30r4gImWgtUZzqogS6Rvm+rKfUx2bF RydPFwlvkVWjJkKf7pk6SBcAFBmeH0tepn7m+OVvN0/UaS7QNILAf49efCkkadTTYa61 KdMObACqMfKRL2qpgBuqA/yR1uxX9aNgnDFESY5QeTorPsZL8hBDTp+geqjQDKs1eTjb cv8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y19-20020a056402441300b00419dbec993fsi5226706eda.374.2022.04.02.11.16.26; Sat, 02 Apr 2022 11:16:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237867AbiDBDyr (ORCPT + 99 others); Fri, 1 Apr 2022 23:54:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230161AbiDBDyp (ORCPT ); Fri, 1 Apr 2022 23:54:45 -0400 Received: from mail.meizu.com (edge05.meizu.com [157.122.146.251]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E69C20A953 for ; Fri, 1 Apr 2022 20:52:51 -0700 (PDT) Received: from IT-EXMB-1-125.meizu.com (172.16.1.125) by mz-mail12.meizu.com (172.16.1.108) with Microsoft SMTP Server (TLS) id 14.3.487.0; Sat, 2 Apr 2022 20:03:16 +0800 Received: from [172.16.137.70] (172.16.137.70) by IT-EXMB-1-125.meizu.com (172.16.1.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Sat, 2 Apr 2022 11:52:48 +0800 Message-ID: <94f5e266-4412-cf45-9ac3-bbe78477f0c4@meizu.com> Date: Sat, 2 Apr 2022 11:52:47 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH] ipmi: ssif: potential NULL dereference in msg_done_handler() To: CC: , References: <1648783665-19237-1-git-send-email-baihaowen@meizu.com> <20220401124809.GF29333@minyard.net> From: baihaowen In-Reply-To: <20220401124809.GF29333@minyard.net> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Originating-IP: [172.16.137.70] X-ClientProxiedBy: IT-EXMB-1-123.meizu.com (172.16.1.123) To IT-EXMB-1-125.meizu.com (172.16.1.125) X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, NICE_REPLY_A,SPF_HELO_NONE,SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Dear Corey Thank you for your kindly reply and suggestion. :) 在 4/1/22 8:48 PM, Corey Minyard 写道: > On Fri, Apr 01, 2022 at 11:27:45AM +0800, Haowen Bai wrote: >> msg could be null without checking null and return, but still dereference >> msg->rsp[2] and will lead to a null pointer trigger. > Actually: > > If you look at the big picture (how the rest of the code works), it's > not possible for msg to be NULL in these cases. However, being > defensive here is probably a good idea. > > There are two of these cases, why didn't you fix both of them? > > This still doesn't fix the problem. There is an "else if" in both > cases that also uses msg. > > You can't just look at the output of some code analysis tool and make a > blind decision like this. You have to look at the big picture. And you > have to analyze the code carefully. > > The right way to be defensive here is to add: > if (!msg) { > ipmi_ssif_unlock_cond(ssif_info, flags); > break; > } > in both cases. And probably add a log, since this means something else > went wrong. > > Anyway, I'll add a patch for defensive measure and give you credit for > pointing it out. > > -corey > >> Signed-off-by: Haowen Bai >> --- >> drivers/char/ipmi/ipmi_ssif.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c >> index f199cc1..9383de3 100644 >> --- a/drivers/char/ipmi/ipmi_ssif.c >> +++ b/drivers/char/ipmi/ipmi_ssif.c >> @@ -814,7 +814,7 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, >> break; >> >> case SSIF_GETTING_EVENTS: >> - if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { >> + if ((result < 0) || (len < 3) || (msg && (msg->rsp[2] != 0))) { >> /* Error getting event, probably done. */ >> msg->done(msg); >> >> -- >> 2.7.4 >> -- Haowen Bai