From: Josh Boyer <jwboyer@fedoraproject.org> To: Oliver Hartkopp <socketcan@hartkopp.net> Cc: Colin King <colin.king@canonical.com>, Marc Kleine-Budde <mkl@pengutronix.de>, "David S . Miller" <davem@davemloft.net>, linux-can@vger.kernel.org, netdev <netdev@vger.kernel.org>, kernel-janitors@vger.kernel.org, "Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH] can: check for null sk before deferencing it via the call to sock_net Date: Mon, 16 Oct 2017 12:37:07 -0400 [thread overview] Message-ID: <CA+5PVA7fJfZmN-XLuqARGkWL6eY54HaRAj19K_Und3K7vAVfpg@mail.gmail.com> (raw) In-Reply-To: <f5ce1047-eb37-151a-c7b7-9b47b70789f7@hartkopp.net> On Fri, Sep 8, 2017 at 1:46 PM, Oliver Hartkopp <socketcan@hartkopp.net> wrote: > > > On 09/08/2017 05:02 PM, Colin King wrote: >> >> From: Colin Ian King <colin.king@canonical.com> >> >> The assignment of net via call sock_net will dereference sk. This >> is performed before a sanity null check on sk, so there could be >> a potential null dereference on the sock_net call if sk is null. >> Fix this by assigning net after the sk null check. Also replace >> the sk == NULL with the more usual !sk idiom. >> >> Detected by CoverityScan CID#1431862 ("Dereference before null check") >> >> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM >> protocol") >> Signed-off-by: Colin Ian King <colin.king@canonical.com> > > > Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> I don't see this one queued up in the net or net-next trees. Did it fall through the cracks or did it get queued up elsewhere? Seems like it's a good candidate to get into 4.14? josh > > > Thanks Collin! > > >> --- >> net/can/bcm.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/net/can/bcm.c b/net/can/bcm.c >> index 47a8748d953a..a3791674b8ce 100644 >> --- a/net/can/bcm.c >> +++ b/net/can/bcm.c >> @@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk) >> static int bcm_release(struct socket *sock) >> { >> struct sock *sk = sock->sk; >> - struct net *net = sock_net(sk); >> + struct net *net; >> struct bcm_sock *bo; >> struct bcm_op *op, *next; >> - if (sk == NULL) >> + if (!sk) >> return 0; >> + net = sock_net(sk); >> bo = bcm_sk(sk); >> /* remove bcm_ops, timer, rx_unregister(), etc. */ >> >
WARNING: multiple messages have this Message-ID (diff)
From: Josh Boyer <jwboyer@fedoraproject.org> To: Oliver Hartkopp <socketcan@hartkopp.net> Cc: Colin King <colin.king@canonical.com>, Marc Kleine-Budde <mkl@pengutronix.de>, "David S . Miller" <davem@davemloft.net>, linux-can@vger.kernel.org, netdev <netdev@vger.kernel.org>, kernel-janitors@vger.kernel.org, "Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org> Subject: Re: [PATCH] can: check for null sk before deferencing it via the call to sock_net Date: Mon, 16 Oct 2017 16:37:07 +0000 [thread overview] Message-ID: <CA+5PVA7fJfZmN-XLuqARGkWL6eY54HaRAj19K_Und3K7vAVfpg@mail.gmail.com> (raw) In-Reply-To: <f5ce1047-eb37-151a-c7b7-9b47b70789f7@hartkopp.net> On Fri, Sep 8, 2017 at 1:46 PM, Oliver Hartkopp <socketcan@hartkopp.net> wrote: > > > On 09/08/2017 05:02 PM, Colin King wrote: >> >> From: Colin Ian King <colin.king@canonical.com> >> >> The assignment of net via call sock_net will dereference sk. This >> is performed before a sanity null check on sk, so there could be >> a potential null dereference on the sock_net call if sk is null. >> Fix this by assigning net after the sk null check. Also replace >> the sk = NULL with the more usual !sk idiom. >> >> Detected by CoverityScan CID#1431862 ("Dereference before null check") >> >> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM >> protocol") >> Signed-off-by: Colin Ian King <colin.king@canonical.com> > > > Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> I don't see this one queued up in the net or net-next trees. Did it fall through the cracks or did it get queued up elsewhere? Seems like it's a good candidate to get into 4.14? josh > > > Thanks Collin! > > >> --- >> net/can/bcm.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/net/can/bcm.c b/net/can/bcm.c >> index 47a8748d953a..a3791674b8ce 100644 >> --- a/net/can/bcm.c >> +++ b/net/can/bcm.c >> @@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk) >> static int bcm_release(struct socket *sock) >> { >> struct sock *sk = sock->sk; >> - struct net *net = sock_net(sk); >> + struct net *net; >> struct bcm_sock *bo; >> struct bcm_op *op, *next; >> - if (sk = NULL) >> + if (!sk) >> return 0; >> + net = sock_net(sk); >> bo = bcm_sk(sk); >> /* remove bcm_ops, timer, rx_unregister(), etc. */ >> >
next prev parent reply other threads:[~2017-10-16 16:37 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-09-08 15:02 [PATCH] can: check for null sk before deferencing it via the call to sock_net Colin King 2017-09-08 15:02 ` Colin King 2017-09-08 17:46 ` Oliver Hartkopp 2017-09-08 17:46 ` Oliver Hartkopp [not found] ` <CABATaM548q4dghmPgrh9qd7+q9Nq1UgA+ESXOrW+45gBWxdq3w@mail.gmail.com> 2017-10-11 10:35 ` Oliver Hartkopp 2017-10-16 16:37 ` Josh Boyer [this message] 2017-10-16 16:37 ` Josh Boyer 2017-10-16 17:32 ` Oliver Hartkopp 2017-10-16 17:32 ` Oliver Hartkopp 2017-10-17 5:49 ` Marc Kleine-Budde 2017-10-17 5:49 ` Marc Kleine-Budde
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CA+5PVA7fJfZmN-XLuqARGkWL6eY54HaRAj19K_Und3K7vAVfpg@mail.gmail.com \ --to=jwboyer@fedoraproject.org \ --cc=colin.king@canonical.com \ --cc=davem@davemloft.net \ --cc=kernel-janitors@vger.kernel.org \ --cc=linux-can@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mkl@pengutronix.de \ --cc=netdev@vger.kernel.org \ --cc=socketcan@hartkopp.net \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.