* cxgb4: Missing NULL check of the return value of get_skb() in function send_flowc()
@ 2012-07-13 5:03 Roland Dreier
[not found] ` <CAL1RGDWwXxr_2WDvTTwW41fYP-+gfqf=DzB3cF-Aoe=DS74JJg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Roland Dreier @ 2012-07-13 5:03 UTC (permalink / raw)
To: Steve Wise; +Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA
steve, in case you didn't read this because of the generic subject:
On Thu, Jul 12, 2012 at 7:16 PM, <bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org> wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=44631
>
> Summary: Missing NULL check of the return value of get_skb() in
> function send_flowc()
> Product: Drivers
> Version: 2.5
> Kernel Version: 2.6.39
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: Infiniband/RDMA
> AssignedTo: drivers_infiniband-rdma-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
> ReportedBy: rucsoftsec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
> Regression: No
>
>
> Function get_skb() may return a NULL pointer, and its return value shall be
> checked before used. But in function send_flowc() after get_skb() is called(at
> drivers/infiniband/hw/cxgb4/cm.c:362), the return value is immediately used as
> a parameter of __skb_put() without NULL check. Besides, there is no check
> before the parameter is dereferenced in the callee function __skb_put(). So an
> invalid memory access may be triggered.
> The related code snippets in send_flowc() are as following.
> send_flowc() @@drivers/infiniband/hw/cxgb4/cm.c:362
> 362 skb = get_skb(skb, flowclen, GFP_KERNEL);
> 363 flowc = (struct fw_flowc_wr *)__skb_put(skb, flowclen);
>
> And the implementation of get_skb() are as following.
> get_skb() drivers/infiniband/hw/cxgb4/cm.c:301
> 301static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
> 302{
> 303 if (skb && !skb_is_nonlinear(skb) && !skb_cloned(skb)) {
> 304 skb_trim(skb, 0);
> 305 skb_get(skb);
> 306 skb_reset_transport_header(skb);
> 307 } else {
> 308 skb = alloc_skb(len, gfp);
> 309 }
> 310 return skb;
> 311}
>
> Following is a call instance of snd_flowc.
> act_establish @@drivers/infiniband/hw/cxgb4/cm.c:695
> 695 /* start MPA negotiation */
> 696 send_flowc(ep, NULL);
>
> So from the source code we can see that potential NULL dereference fault exists
> when path act_establish()->send_flowc()->get_skb()->alloc_skb() is executed.
>
> Thank you
>
> RUC_Soft_Sec
>
> --
> Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are watching the assignee of the bug.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: cxgb4: Missing NULL check of the return value of get_skb() in function send_flowc()
[not found] ` <CAL1RGDWwXxr_2WDvTTwW41fYP-+gfqf=DzB3cF-Aoe=DS74JJg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2012-07-13 13:38 ` Steve Wise
0 siblings, 0 replies; 2+ messages in thread
From: Steve Wise @ 2012-07-13 13:38 UTC (permalink / raw)
To: Roland Dreier; +Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA
On 7/13/2012 12:03 AM, Roland Dreier wrote:
> steve, in case you didn't read this because of the generic subject:
Thanks Roland. Yes, I missed this. I'll get to this asap...
> On Thu, Jul 12, 2012 at 7:16 PM, <bugzilla-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org> wrote:
>> https://bugzilla.kernel.org/show_bug.cgi?id=44631
>>
>> Summary: Missing NULL check of the return value of get_skb() in
>> function send_flowc()
>> Product: Drivers
>> Version: 2.5
>> Kernel Version: 2.6.39
>> Platform: All
>> OS/Version: Linux
>> Tree: Mainline
>> Status: NEW
>> Severity: normal
>> Priority: P1
>> Component: Infiniband/RDMA
>> AssignedTo: drivers_infiniband-rdma-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
>> ReportedBy: rucsoftsec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
>> Regression: No
>>
>>
>> Function get_skb() may return a NULL pointer, and its return value shall be
>> checked before used. But in function send_flowc() after get_skb() is called(at
>> drivers/infiniband/hw/cxgb4/cm.c:362), the return value is immediately used as
>> a parameter of __skb_put() without NULL check. Besides, there is no check
>> before the parameter is dereferenced in the callee function __skb_put(). So an
>> invalid memory access may be triggered.
>> The related code snippets in send_flowc() are as following.
>> send_flowc() @@drivers/infiniband/hw/cxgb4/cm.c:362
>> 362 skb = get_skb(skb, flowclen, GFP_KERNEL);
>> 363 flowc = (struct fw_flowc_wr *)__skb_put(skb, flowclen);
>>
>> And the implementation of get_skb() are as following.
>> get_skb() drivers/infiniband/hw/cxgb4/cm.c:301
>> 301static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
>> 302{
>> 303 if (skb && !skb_is_nonlinear(skb) && !skb_cloned(skb)) {
>> 304 skb_trim(skb, 0);
>> 305 skb_get(skb);
>> 306 skb_reset_transport_header(skb);
>> 307 } else {
>> 308 skb = alloc_skb(len, gfp);
>> 309 }
>> 310 return skb;
>> 311}
>>
>> Following is a call instance of snd_flowc.
>> act_establish @@drivers/infiniband/hw/cxgb4/cm.c:695
>> 695 /* start MPA negotiation */
>> 696 send_flowc(ep, NULL);
>>
>> So from the source code we can see that potential NULL dereference fault exists
>> when path act_establish()->send_flowc()->get_skb()->alloc_skb() is executed.
>>
>> Thank you
>>
>> RUC_Soft_Sec
>>
>> --
>> Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
>> ------- You are receiving this mail because: -------
>> You are watching the assignee of the bug.
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
>> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-07-13 13:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-13 5:03 cxgb4: Missing NULL check of the return value of get_skb() in function send_flowc() Roland Dreier
[not found] ` <CAL1RGDWwXxr_2WDvTTwW41fYP-+gfqf=DzB3cF-Aoe=DS74JJg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-07-13 13:38 ` Steve Wise
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.