re: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

re: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

[Colin Ian King]

Hi,

Static analysis on linux-next with Coverity has detected an issue in
drivers/misc/cardreader/alcor_pci.c in function
alcor_pci_init_check_aspm  with the following commit:

commit 3ce3e45cc333da707d4d6eb433574b990bcc26f5
Author: Tong Zhang <ztong0001@gmail.com>
Date:   Thu May 13 00:07:33 2021 -0400

    misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

The analysis is as follows:

135 static void alcor_pci_init_check_aspm(struct alcor_pci_priv *priv)
136 {
137        struct pci_dev *pci;
138        int where;
139        u32 val32;
140
141        priv->pdev_cap_off    = alcor_pci_find_cap_offset(priv,
priv->pdev);
142        /*
143         * A device might be attached to root complex directly and
144         * priv->parent_pdev will be NULL. In this case we don't
check its
145         * capability and disable ASPM completely.
146         */

   1. Condition !priv->parent_pdev, taking true branch.
   2. var_compare_op: Comparing priv->parent_pdev to null implies that
priv->parent_pdev might be null.

147        if (!priv->parent_pdev)

   Dereference after null check (FORWARD_NULL)
   3. var_deref_model: Passing null pointer priv->parent_pdev to
alcor_pci_find_cap_offset, which dereferences it.

148                priv->parent_cap_off = alcor_pci_find_cap_offset(priv,
149
priv->parent_pdev);

When !priv->parent_pdev is true, then priv->parent_pdev is NULL and
hence the call to alcor_pci_find_cap_offset() is dereferencing a null
pointer in the priv->parent_pdev argument.

I suspect the logic in the if statement is inverted, the ! should be
removed. This seems too trivial to be wrong. Maybe I'm missing something
deeper.

Colin

Re: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

[Tong Zhang]

On Tue, May 18, 2021 at 11:32 AM Colin Ian King
<colin.king@canonical.com> wrote:
>
> Hi,
>
> Static analysis on linux-next with Coverity has detected an issue in
> drivers/misc/cardreader/alcor_pci.c in function
> alcor_pci_init_check_aspm  with the following commit:
>
> commit 3ce3e45cc333da707d4d6eb433574b990bcc26f5
> Author: Tong Zhang <ztong0001@gmail.com>
> Date:   Thu May 13 00:07:33 2021 -0400
>
>     misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge
>
> The analysis is as follows:
>
> 135 static void alcor_pci_init_check_aspm(struct alcor_pci_priv *priv)
> 136 {
> 137        struct pci_dev *pci;
> 138        int where;
> 139        u32 val32;
> 140
> 141        priv->pdev_cap_off    = alcor_pci_find_cap_offset(priv,
> priv->pdev);
> 142        /*
> 143         * A device might be attached to root complex directly and
> 144         * priv->parent_pdev will be NULL. In this case we don't
> check its
> 145         * capability and disable ASPM completely.
> 146         */
>
>    1. Condition !priv->parent_pdev, taking true branch.
>    2. var_compare_op: Comparing priv->parent_pdev to null implies that
> priv->parent_pdev might be null.
>
> 147        if (!priv->parent_pdev)
>
>    Dereference after null check (FORWARD_NULL)
>    3. var_deref_model: Passing null pointer priv->parent_pdev to
> alcor_pci_find_cap_offset, which dereferences it.
>
> 148                priv->parent_cap_off = alcor_pci_find_cap_offset(priv,
> 149
> priv->parent_pdev);
>
> When !priv->parent_pdev is true, then priv->parent_pdev is NULL and
> hence the call to alcor_pci_find_cap_offset() is dereferencing a null
> pointer in the priv->parent_pdev argument.
>
> I suspect the logic in the if statement is inverted, the ! should be
> removed. This seems too trivial to be wrong. Maybe I'm missing something
> deeper.

Hi Colin,
Thanks for pointing that out.
You are right. I made a terrible mistake here while refactoring the patch. :'(
I think I need to get away from this thing for a while and have some rest.
- Tong


>
> Colin
>

[PATCH v4] misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

[Tong Zhang]

There is an issue with the ASPM(optional) capability checking function.
A device might be attached to root complex directly, in this case,
bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL.
Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's
ASPM capability and populate parent_cap_off, which will be used later by
alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do
here is to avoid checking the capability if we are on the root complex.
This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply
return when bring called, effectively disable ASPM for the device.

[    1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0
[    1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40
[    1.253998] Call Trace:
[    1.254131]  ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci]
[    1.254476]  alcor_pci_probe+0x169/0x2d5 [alcor_pci]

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Co-developed-by: Colin Ian King <colin.king@canonical.com>
---
v2: check before calling alcor_pci_find_cap_offset()
v3: Add comment. Enable the dev_dbg() output when priv->parent_pdev is NULL.
v4: fix inverted if statement, thanks to Colin <colin.king@canonical.com>

 drivers/misc/cardreader/alcor_pci.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/cardreader/alcor_pci.c b/drivers/misc/cardreader/alcor_pci.c
index cd402c89189e..de6d44a158bb 100644
--- a/drivers/misc/cardreader/alcor_pci.c
+++ b/drivers/misc/cardreader/alcor_pci.c
@@ -139,7 +139,13 @@ static void alcor_pci_init_check_aspm(struct alcor_pci_priv *priv)
 	u32 val32;
 
 	priv->pdev_cap_off    = alcor_pci_find_cap_offset(priv, priv->pdev);
-	priv->parent_cap_off = alcor_pci_find_cap_offset(priv,
+	/*
+	 * A device might be attached to root complex directly and
+	 * priv->parent_pdev will be NULL. In this case we don't check its
+	 * capability and disable ASPM completely.
+	 */
+	if (priv->parent_pdev)
+		priv->parent_cap_off = alcor_pci_find_cap_offset(priv,
 							 priv->parent_pdev);
 
 	if ((priv->pdev_cap_off == 0) || (priv->parent_cap_off == 0)) {
-- 
2.25.1

Re: [PATCH v4] misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

[Greg Kroah-Hartman]

On Tue, May 18, 2021 at 03:28:18PM -0400, Tong Zhang wrote:
> There is an issue with the ASPM(optional) capability checking function.
> A device might be attached to root complex directly, in this case,
> bus->self(bridge) will be NULL, thus priv->parent_pdev is NULL.
> Since alcor_pci_init_check_aspm(priv->parent_pdev) checks the PCI link's
> ASPM capability and populate parent_cap_off, which will be used later by
> alcor_pci_aspm_ctrl() to dynamically turn on/off device, what we can do
> here is to avoid checking the capability if we are on the root complex.
> This will make pdev_cap_off 0 and alcor_pci_aspm_ctrl() will simply
> return when bring called, effectively disable ASPM for the device.
> 
> [    1.246492] BUG: kernel NULL pointer dereference, address: 00000000000000c0
> [    1.248731] RIP: 0010:pci_read_config_byte+0x5/0x40
> [    1.253998] Call Trace:
> [    1.254131]  ? alcor_pci_find_cap_offset.isra.0+0x3a/0x100 [alcor_pci]
> [    1.254476]  alcor_pci_probe+0x169/0x2d5 [alcor_pci]
> 
> Signed-off-by: Tong Zhang <ztong0001@gmail.com>
> Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Co-developed-by: Colin Ian King <colin.king@canonical.com>
> ---
> v2: check before calling alcor_pci_find_cap_offset()
> v3: Add comment. Enable the dev_dbg() output when priv->parent_pdev is NULL.
> v4: fix inverted if statement, thanks to Colin <colin.king@canonical.com>

Please just send a fix-up patch instead, I don't want to revert and then
add this, that doesn't make any sense...

thanks,

greg k-h

Re: [PATCH v4] misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

[Tong Zhang]

On Fri, May 21, 2021 at 5:44 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> Please just send a fix-up patch instead, I don't want to revert and then
> add this, that doesn't make any sense...
>
> thanks,
>
> greg k-h

OK,OK, got it. Thanks for letting me know how to fix this.
I will send out a fix-up patch as suggested ASAP.
Thanks,
- Tong

[PATCH v1] misc: alcor_pci: fix inverted branch condition

[Tong Zhang]

This patch fixes a trivial mistake that I made in the previous attempt
in fixing the null bridge issue. The branch condition is inverted and we
should call alcor_pci_find_cap_offset() only if bridge is not null.

Reported-by: Colin Ian King <colin.king@canonical.com>
Fixes: 3ce3e45cc333 ("misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge")
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
---
 drivers/misc/cardreader/alcor_pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/cardreader/alcor_pci.c b/drivers/misc/cardreader/alcor_pci.c
index 0a62307f7ffb..de6d44a158bb 100644
--- a/drivers/misc/cardreader/alcor_pci.c
+++ b/drivers/misc/cardreader/alcor_pci.c
@@ -144,7 +144,7 @@ static void alcor_pci_init_check_aspm(struct alcor_pci_priv *priv)
 	 * priv->parent_pdev will be NULL. In this case we don't check its
 	 * capability and disable ASPM completely.
 	 */
-	if (!priv->parent_pdev)
+	if (priv->parent_pdev)
 		priv->parent_cap_off = alcor_pci_find_cap_offset(priv,
 							 priv->parent_pdev);
 
-- 
2.25.1

Re: [PATCH v4] misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge

[Tong Zhang]

Hi Greg,
I have sent out a fix-up patch as suggested.
Please take a look to see if this one works.
Sorry for the trouble. and have a nice weekend.
- Tong