Hello,
Our static analysis tool finds a possible null-pointer dereference in
the mwifiex driver in Linux 5.14.0-rc3:
The variable cmd_node->cmd_skb->data is assigned to the variable
host_cmd, and host_cmd is checked in:
190: if (host_cmd == NULL || host_cmd->size == 0)
This indicates that host_cmd can be NULL.
If so, the function mwifiex_recycle_cmd_node() will be called with the
argument cmd_node:
196: mwifiex_recycle_cmd_node(adapter, cmd_node);
In this called function, the variable cmd_node->cmd_skb->data is
assigned to the variable host_cmd, too.
Thus the variable host_cmd in the function mwifiex_recycle_cmd_node()
can be also NULL.
However, it is dereferenced when calling le16_to_cpu():
144: le16_to_cpu(host_cmd->command)
I am not quite sure whether this possible null-pointer dereference is
real and how to fix it if it is real.
Any feedback would be appreciated, thanks!
Reported-by: TOTE Robot <[email protected]>
Best wishes,
Tuo Li
Hi,
On Fri, Jul 30, 2021 at 9:13 PM Li Tuo <[email protected]> wrote:
> Our static analysis tool finds a possible null-pointer dereference in
> the mwifiex driver in Linux 5.14.0-rc3:
Wouldn't be the first time a static analysis tool tripped up over
excessively redundant "safety" checks :)
For example:
https://lore.kernel.org/linux-wireless/[email protected]/T/#u
> The variable cmd_node->cmd_skb->data is assigned to the variable
> host_cmd, and host_cmd is checked in:
> 190: if (host_cmd == NULL || host_cmd->size == 0)
>
> This indicates that host_cmd can be NULL.
> If so, the function mwifiex_recycle_cmd_node() will be called with the
> argument cmd_node:
> 196: mwifiex_recycle_cmd_node(adapter, cmd_node);
>
> In this called function, the variable cmd_node->cmd_skb->data is
> assigned to the variable host_cmd, too.
> Thus the variable host_cmd in the function mwifiex_recycle_cmd_node()
> can be also NULL.
> However, it is dereferenced when calling le16_to_cpu():
> 144: le16_to_cpu(host_cmd->command)
>
> I am not quite sure whether this possible null-pointer dereference is
> real and how to fix it if it is real.
> Any feedback would be appreciated, thanks!
I doubt it's real; the NULL check is probably excessive. I don't think
there's any case in which such skb's will have no ->data. If you're
interested, you could test and submit a "fix" to drop the excess
check.
Brian
Thanks for your feedback! I think we can test and submit a patch to drop
the excess check as the example you mentioned.
Best wishes,
Tuo Li
On 2021/8/3 4:44, Brian Norris wrote:
> Hi,
>
> On Fri, Jul 30, 2021 at 9:13 PM Li Tuo <[email protected]> wrote:
>> Our static analysis tool finds a possible null-pointer dereference in
>> the mwifiex driver in Linux 5.14.0-rc3:
> Wouldn't be the first time a static analysis tool tripped up over
> excessively redundant "safety" checks :)
>
> For example:
> https://lore.kernel.org/linux-wireless/[email protected]/T/#u
>
>> The variable cmd_node->cmd_skb->data is assigned to the variable
>> host_cmd, and host_cmd is checked in:
>> 190: if (host_cmd == NULL || host_cmd->size == 0)
>>
>> This indicates that host_cmd can be NULL.
>> If so, the function mwifiex_recycle_cmd_node() will be called with the
>> argument cmd_node:
>> 196: mwifiex_recycle_cmd_node(adapter, cmd_node);
>>
>> In this called function, the variable cmd_node->cmd_skb->data is
>> assigned to the variable host_cmd, too.
>> Thus the variable host_cmd in the function mwifiex_recycle_cmd_node()
>> can be also NULL.
>> However, it is dereferenced when calling le16_to_cpu():
>> 144: le16_to_cpu(host_cmd->command)
>>
>> I am not quite sure whether this possible null-pointer dereference is
>> real and how to fix it if it is real.
>> Any feedback would be appreciated, thanks!
> I doubt it's real; the NULL check is probably excessive. I don't think
> there's any case in which such skb's will have no ->data. If you're
> interested, you could test and submit a "fix" to drop the excess
> check.
>
> Brian