From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751149AbdE3QZg (ORCPT ); Tue, 30 May 2017 12:25:36 -0400 Received: from gateway33.websitewelcome.com ([192.185.146.21]:32878 "EHLO gateway33.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751120AbdE3QZf (ORCPT ); Tue, 30 May 2017 12:25:35 -0400 Date: Tue, 30 May 2017 11:23:28 -0500 Message-ID: <20170530112328.Horde.PY1jf3InPf-6SU3kH9l7mtw@gator4166.hostgator.com> From: "Gustavo A. R. Silva" To: Marcel Holtmann , Gustavo Padovan , Johan Hedberg , "David S. Miller" Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [net-bluetooth] question about potential null pointer dereference User-Agent: Horde Application Framework 5 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 108.167.133.22 X-Exim-ID: 1dFjvc-000Xpk-BP X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: gator4166.hostgator.com [108.167.133.22]:16276 X-Source-Auth: garsilva@embeddedor.com X-Email-Count: 1 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello everybody, While looking into Coverity ID 1357456 I ran into the following piece of code at net/bluetooth/smp.c:166 166/* The following functions map to the LE SC SMP crypto functions 167 * AES-CMAC, f4, f5, f6, g2 and h6. 168 */ 169 170static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 171 size_t len, u8 mac[16]) 172{ 173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 174 SHASH_DESC_ON_STACK(desc, tfm); 175 int err; 176 177 if (len > CMAC_MSG_MAX) 178 return -EFBIG; 179 180 if (!tfm) { 181 BT_ERR("tfm %p", tfm); 182 return -EINVAL; 183 } 184 185 desc->tfm = tfm; 186 desc->flags = 0; 187 188 /* Swap key and message from LSB to MSB */ 189 swap_buf(k, tmp, 16); 190 swap_buf(m, msg_msb, len); 191 192 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 193 SMP_DBG("key %16phN", k); 194 195 err = crypto_shash_setkey(tfm, tmp, 16); 196 if (err) { 197 BT_ERR("cipher setkey failed: %d", err); 198 return err; 199 } 200 201 err = crypto_shash_digest(desc, msg_msb, len, mac_msb); 202 shash_desc_zero(desc); 203 if (err) { 204 BT_ERR("Hash computation error %d", err); 205 return err; 206 } 207 208 swap_buf(mac_msb, mac, 16); 209 210 SMP_DBG("mac %16phN", mac); 211 212 return 0; 213} The issue here is that line 180 implies that pointer tfm might be NULL. If this is the case, there is a potential NULL pointer dereference at line 174 once pointer tfm is indirectly dereferenced inside macro SHASH_DESC_ON_STACK(). My question is if there is any chance that pointer tfm maybe be NULL when calling macro SHASH_DESC_ON_STACK()? I'm trying to figure out if this is a false positive or something that needs to be fixed somehow. I'd really appreciate any comment on this. Thank you! -- Gustavo A. R. Silva From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Gustavo A. R. Silva" Subject: [net-bluetooth] question about potential null pointer dereference Date: Tue, 30 May 2017 11:23:28 -0500 Message-ID: <20170530112328.Horde.PY1jf3InPf-6SU3kH9l7mtw@gator4166.hostgator.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Cc: linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: Marcel Holtmann , Gustavo Padovan , Johan Hedberg , "David S. Miller" Return-path: Received: from gateway21.websitewelcome.com ([192.185.45.36]:31627 "EHLO gateway21.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750930AbdE3QXc (ORCPT ); Tue, 30 May 2017 12:23:32 -0400 Received: from cm2.websitewelcome.com (cm2.websitewelcome.com [192.185.178.13]) by gateway21.websitewelcome.com (Postfix) with ESMTP id 9814F400CE337 for ; Tue, 30 May 2017 11:23:29 -0500 (CDT) Content-Disposition: inline Sender: netdev-owner@vger.kernel.org List-ID: Hello everybody, While looking into Coverity ID 1357456 I ran into the following piece of code at net/bluetooth/smp.c:166 166/* The following functions map to the LE SC SMP crypto functions 167 * AES-CMAC, f4, f5, f6, g2 and h6. 168 */ 169 170static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 171 size_t len, u8 mac[16]) 172{ 173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 174 SHASH_DESC_ON_STACK(desc, tfm); 175 int err; 176 177 if (len > CMAC_MSG_MAX) 178 return -EFBIG; 179 180 if (!tfm) { 181 BT_ERR("tfm %p", tfm); 182 return -EINVAL; 183 } 184 185 desc->tfm = tfm; 186 desc->flags = 0; 187 188 /* Swap key and message from LSB to MSB */ 189 swap_buf(k, tmp, 16); 190 swap_buf(m, msg_msb, len); 191 192 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 193 SMP_DBG("key %16phN", k); 194 195 err = crypto_shash_setkey(tfm, tmp, 16); 196 if (err) { 197 BT_ERR("cipher setkey failed: %d", err); 198 return err; 199 } 200 201 err = crypto_shash_digest(desc, msg_msb, len, mac_msb); 202 shash_desc_zero(desc); 203 if (err) { 204 BT_ERR("Hash computation error %d", err); 205 return err; 206 } 207 208 swap_buf(mac_msb, mac, 16); 209 210 SMP_DBG("mac %16phN", mac); 211 212 return 0; 213} The issue here is that line 180 implies that pointer tfm might be NULL. If this is the case, there is a potential NULL pointer dereference at line 174 once pointer tfm is indirectly dereferenced inside macro SHASH_DESC_ON_STACK(). My question is if there is any chance that pointer tfm maybe be NULL when calling macro SHASH_DESC_ON_STACK()? I'm trying to figure out if this is a false positive or something that needs to be fixed somehow. I'd really appreciate any comment on this. Thank you!