Received: by 2002:a05:6500:1b41:b0:1fb:d597:ff75 with SMTP id cz1csp338364lqb; Tue, 4 Jun 2024 13:00:31 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXNa/l4BxxsBKDpX+ZDDm2m2mnH3VHwBuZfJqFCAu9BL9+l990miDpcwlovD9xNgvifprpsuzh8qd6zfn7t/afmx/LKixBRuvVVwh1Gmw== X-Google-Smtp-Source: AGHT+IFVe+6n316hPT5OMD4vApS/GlS/9sndl6plbc/8rbbKCRguCZ6RFPLQkKwLe4zje7ZM0g8X X-Received: by 2002:a17:906:2759:b0:a58:eba0:6716 with SMTP id a640c23a62f3a-a69a002e87dmr27510966b.60.1717531231570; Tue, 04 Jun 2024 13:00:31 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717531231; cv=pass; d=google.com; s=arc-20160816; b=dEBkFuTsNV1a2JEYEsoLat40/C39I8K0xKkdkU7z0N+1gdLSTQfO0VMMgd+PXxJyHV 0uZW+23HmEAZJj3BygL7tQNeBcU/30ZtObLt28MCJ5IJkgs7YT2n2fGgxZNrXp/jzTKC 0vI5ay7oX86zLOKUgr13vf4ZqnlGpu7SF39gqdS5brjbpHYY69L8OpSPQV7Wgvq8+UkX 19ovW6L/jIEM8lkBJZbWCl78Boi3cKeeeJFer488pe0ILZubLfvCY/sLHvD7ZPlEdH7X Etty8v73XQ0LfR9bZGQ576vz9FK2lTUIF5jBRDn1kEPgUqkWQlXBUWrURSpHT9AAqL6Q ipWg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=Xa0FPXrUOXBU3ve6V1WmTlyM5t7Kgm0yAn6+UeTYo6E=; fh=JsluEzaicZcaa0xreHORR3mWeGyiALavAAoGndJuAIA=; b=gDfBSg7VRvc51nm1r/HZXGbmUTYK5UJYEvGvCgQp/ICFjzrd4CXwcz7jFj8rrLhdPK 7D0JW9K41PrXCU+94nYY1pqsqQva3FQ4QdyfQDGwNFCGPXyVZrUGW0QISyWVpjyFAxQF 9kvT/D6D7F0i2ntiVGBpRRB++05O4ICVd6t6CAvQ0usihWOoAtjCU4l1IUJOHlpQ482w WGm88vUrAUbYkCwBVDSJZmZxaNBJyoHh6+CFM5gK4ROJ3iBM972D44XCE4V+RI6+UEs9 xi989X7MuA1BBaFcJXJARDNN9UrfmBEqTF6M46TkrsCg5ZAyMuncPjvMAqA1vsJSMxsH 9dHA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@t-argos.ru header.s=mail header.b=J9MySeMh; arc=pass (i=1 spf=pass spfdomain=t-argos.ru dkim=pass dkdomain=t-argos.ru dmarc=pass fromdomain=t-argos.ru); spf=pass (google.com: domain of linux-kernel+bounces-201310-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-201310-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=t-argos.ru Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a690173116asi262261866b.942.2024.06.04.13.00.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Jun 2024 13:00:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-201310-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@t-argos.ru header.s=mail header.b=J9MySeMh; arc=pass (i=1 spf=pass spfdomain=t-argos.ru dkim=pass dkdomain=t-argos.ru dmarc=pass fromdomain=t-argos.ru); spf=pass (google.com: domain of linux-kernel+bounces-201310-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-201310-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=t-argos.ru Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 4F3A51F2216B for ; Tue, 4 Jun 2024 20:00:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6B22E14B97B; Tue, 4 Jun 2024 19:59:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=t-argos.ru header.i=@t-argos.ru header.b="J9MySeMh" Received: from mx1.t-argos.ru (mx1.t-argos.ru [109.73.34.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54BDD14A095 for ; Tue, 4 Jun 2024 19:59:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=109.73.34.58 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717531197; cv=none; b=fVEVKrUqWr7DgnzNhygFHNkmkOlFNQZvlPF8hAa9ZNGi8xTU0nhTTvZODJmOx0XkBK4BzsokQx0n1B5o0P9hsxj6PoU+xIMKiOP0eQ2LyxDv/r68FngMOFT2TjZe1KVg8SvQZppLORwBMwDfiKRoc+HJBsVXvetptcCTmwC2kys= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717531197; c=relaxed/simple; bh=JPVqcBnQD3aHrY72+28tQWBCzAMn00Jq9480vsSITUI=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=LksTvNa4h9zgzbO8TisVGZ/jB2qlmqjO1bSxE6i2lE/TcI4nNQ0ZqV1aOtsUw650xKpyYzylJUKz2alXknhnrNTekgZR+OKKyWcqYyMevaI4I7QAtwshvWSrZbdgfeLt8eSPpMs6eHRTv8CuWOPZy52hOq5zkVu9rUrDoRnmitM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=t-argos.ru; spf=pass smtp.mailfrom=t-argos.ru; dkim=pass (2048-bit key) header.d=t-argos.ru header.i=@t-argos.ru header.b=J9MySeMh; arc=none smtp.client-ip=109.73.34.58 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=t-argos.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=t-argos.ru Received: from mx1.t-argos.ru (localhost [127.0.0.1]) by mx1.t-argos.ru (Postfix) with ESMTP id 8B389100003; Tue, 4 Jun 2024 22:59:32 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-argos.ru; s=mail; t=1717531172; bh=Xa0FPXrUOXBU3ve6V1WmTlyM5t7Kgm0yAn6+UeTYo6E=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=J9MySeMhlZt1d5imLtzETd9dEZNfncxTcuVQM+sI2g5eYATlpLoadu5Gm/OOLHwXo yKlj7l90VgpgfgDg0mwiJKJrtwFb8+aaKnMAub4SR3xFwGRyc+fWFamxOyEA505y1t SMNBNZIaVYc4B1G4roHzQ0i8pKIMBz3W445SPIgqSlusExZQ7K8z7vtVSUQM+BEFfB Zwt/nv+76Mgp+Gn1/CBoRfpI+ZmvccK7oCW9kZ7sc+wNtrKOEtQ28+mL6w5Be23PzU u8Ym8nWzh/jA0hEu/7Gt2XaGF7QD8iGtIzcY2HU2mimlTkLp7wK6WAXIyaRNbH06OV +HPVw8BlJAotA== Received: from mx1.t-argos.ru.ru (ta-mail-02.ta.t-argos.ru [172.17.13.212]) by mx1.t-argos.ru (Postfix) with ESMTP; Tue, 4 Jun 2024 22:58:47 +0300 (MSK) Received: from localhost.localdomain (172.17.215.6) by ta-mail-02 (172.17.13.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Tue, 4 Jun 2024 22:58:27 +0300 From: Aleksandr Mishin To: Jakob Koschel CC: Aleksandr Mishin , Scott Branden , Broadcom internal kernel review list , Arnd Bergmann , Greg Kroah-Hartman , , Subject: [PATCH] misc: bcm-vk: Fix NULL pointer dereference in case of buffer is not big enough in bcm_vk_read() Date: Tue, 4 Jun 2024 22:58:20 +0300 Message-ID: <20240604195820.29426-1-amishin@t-argos.ru> X-Mailer: git-send-email 2.30.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: ta-mail-02.ta.t-argos.ru (172.17.13.212) To ta-mail-02 (172.17.13.212) X-KSMG-Rule-ID: 1 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Lua-Profiles: 185716 [Jun 04 2024] X-KSMG-AntiSpam-Version: 6.1.0.4 X-KSMG-AntiSpam-Envelope-From: amishin@t-argos.ru X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Info: LuaCore: 20 0.3.20 743589a8af6ec90b529f2124c2bbfc3ce1d2f20f, {Tracking_from_domain_doesnt_match_to}, d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2;mx1.t-argos.ru.ru:7.1.1;t-argos.ru:7.1.1, FromAlignment: s X-MS-Exchange-Organization-SCL: -1 X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiPhishing: Clean, bases: 2024/06/04 19:35:00 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2024/06/04 15:09:00 #25437733 X-KSMG-AntiVirus-Status: Clean, skipped In case of entry is found but buffer is not big enough in bcm_vk_read() found entry pointer remaining unset, but later dereferenced. This will lead to NULL pointer dereference. Fix this bug by moving pointer setting and correcting the conditions. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 88517757a829 ("misc: bcm-vk: replace usage of found with dedicated list iterator variable") Signed-off-by: Aleksandr Mishin --- drivers/misc/bcm-vk/bcm_vk_msg.c | 38 +++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/drivers/misc/bcm-vk/bcm_vk_msg.c b/drivers/misc/bcm-vk/bcm_vk_msg.c index 1f42d1d5a630..566bb055fcf7 100644 --- a/drivers/misc/bcm-vk/bcm_vk_msg.c +++ b/drivers/misc/bcm-vk/bcm_vk_msg.c @@ -1031,11 +1031,11 @@ ssize_t bcm_vk_read(struct file *p_file, (iter->to_h_blks * VK_MSGQ_BLK_SIZE)) { list_del(&iter->node); atomic_dec(&ctx->pend_cnt); - entry = iter; } else { /* buffer not big enough */ rc = -EMSGSIZE; } + entry = iter; goto read_loop_exit; } } @@ -1044,25 +1044,27 @@ ssize_t bcm_vk_read(struct file *p_file, spin_unlock(&chan->pendq_lock); if (entry) { - /* retrieve the passed down msg_id */ - set_msg_id(&entry->to_h_msg[0], entry->usr_msg_id); - rsp_length = entry->to_h_blks * VK_MSGQ_BLK_SIZE; - if (copy_to_user(buf, entry->to_h_msg, rsp_length) == 0) - rc = rsp_length; + if (rc != -EMSGSIZE) { + /* retrieve the passed down msg_id */ + set_msg_id(&entry->to_h_msg[0], entry->usr_msg_id); + rsp_length = entry->to_h_blks * VK_MSGQ_BLK_SIZE; + if (copy_to_user(buf, entry->to_h_msg, rsp_length) == 0) + rc = rsp_length; - bcm_vk_free_wkent(dev, entry); - } else if (rc == -EMSGSIZE) { - struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; + bcm_vk_free_wkent(dev, entry); + } else { + struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; - /* - * in this case, return just the first block, so - * that app knows what size it is looking for. - */ - set_msg_id(&tmp_msg, entry->usr_msg_id); - tmp_msg.size = entry->to_h_blks - 1; - if (copy_to_user(buf, &tmp_msg, VK_MSGQ_BLK_SIZE) != 0) { - dev_err(dev, "Error return 1st block in -EMSGSIZE\n"); - rc = -EFAULT; + /* + * in this case, return just the first block, so + * that app knows what size it is looking for. + */ + set_msg_id(&tmp_msg, entry->usr_msg_id); + tmp_msg.size = entry->to_h_blks - 1; + if (copy_to_user(buf, &tmp_msg, VK_MSGQ_BLK_SIZE) != 0) { + dev_err(dev, "Error return 1st block in -EMSGSIZE\n"); + rc = -EFAULT; + } } } return rc; -- 2.30.2