Re: drivers/char: suspected null-pointer dereference problem in handle_control_message

Re: drivers/char: suspected null-pointer dereference problem in handle_control_message

[Amit Shah]

On Tue, 2021-10-26 at 06:17 +0000, YE Chengfeng wrote:
> Hi,
>  
> https://github.com/torvalds/linux/blob/master/drivers/char/virtio_console.c#L1657
>  
> Our experimental static analysis tool detects a suspected null-pointer-dereference problem. We manually check it, but It still could be false positive because we are not familiar with the code. We report this to you just in case.
>  
> We notice that in some branches of switch case at line #1582, the pointer port is null check. But null check is missing at line #1657 and line #1633. It seems like a suspected null-pointer dereference pointer. Would you like to spare some time to have a look at it?

For this NULL deref to happen, the host will have to send a port_name
command before a port_add command.  Worrying about that isn't
worthwhile.  If you'd like to add a generic `if (unlikely(!port))`
after line 1579 there, that'd be fine as a hint to the static analysis
tools, though, so just for that reason, it might be worthwhile.

		Amit

回复: drivers/char: suspected null-pointer dereference problem in handle_control_message

[YE Chengfeng]

Thanks for your reply.

Agree with you, seems that the branch at #line 1573 already handles this situation.

Another question, is it possible that port->name is null when show_port_name is invoked? I don't see any null-check there, could it be a null-dereference problem at #line 1282? Link is below.
https://github.com/torvalds/linux/blob/master/drivers/char/virtio_console.c#L1282

Best Regards.
Chengfeng
-----邮件原件-----
发件人: Amit Shah <amit@infradead.org> 
发送时间: 2021年10月26日 18:30
收件人: YE Chengfeng <cyeaa@connect.ust.hk>; amit@kernel.org; arnd@arndb.de; linux-kernel@vger.kernel.org
主题: Re: drivers/char: suspected null-pointer dereference problem in handle_control_message

On Tue, 2021-10-26 at 06:17 +0000, YE Chengfeng wrote:
> Hi,
>  
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> ub.com%2Ftorvalds%2Flinux%2Fblob%2Fmaster%2Fdrivers%2Fchar%2Fvirtio_co
> nsole.c%23L1657&amp;data=04%7C01%7Ccyeaa%40connect.ust.hk%7Ccfdf9c167c
> 6749fe336a08d9986ba318%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C63
> 7708410345384834%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV
> 2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GBDIMmW7FA1kawm
> SoKAH7xTW92%2BrHMo2i2SVR42XFqE%3D&amp;reserved=0
>  
> Our experimental static analysis tool detects a suspected null-pointer-dereference problem. We manually check it, but It still could be false positive because we are not familiar with the code. We report this to you just in case.
>  
> We notice that in some branches of switch case at line #1582, the pointer port is null check. But null check is missing at line #1657 and line #1633. It seems like a suspected null-pointer dereference pointer. Would you like to spare some time to have a look at it?

For this NULL deref to happen, the host will have to send a port_name command before a port_add command.  Worrying about that isn't worthwhile.  If you'd like to add a generic `if (unlikely(!port))` after line 1579 there, that'd be fine as a hint to the static analysis tools, though, so just for that reason, it might be worthwhile.

		Amit

Re: 回复: drivers/char: suspected null-pointer dereference problem in handle_control_message

[Amit Shah]

On Tue, 2021-10-26 at 11:51 +0000, YE Chengfeng wrote:
> Thanks for your reply.
> 
> Agree with you, seems that the branch at #line 1573 already handles this situation.
> 
> Another question, is it possible that port->name is null when show_port_name is invoked? I don't see any null-check there, could it be a null-dereference problem at #line 1282? Link is below.
> https://github.com/torvalds/linux/blob/master/drivers/char/virtio_console.c#L1282

Why don't you try it?

It's certainly possible that a port doesn't have a name.

回复: 回复: drivers/char: suspected null-pointer dereference problem in handle_control_message

[YE Chengfeng]

If it's possible as said, maybe it should be fixed? 
Do you need my help to send a patch?

-----邮件原件-----
发件人: Amit Shah <amit@infradead.org> 
发送时间: 2021年10月28日 19:55
收件人: YE Chengfeng <cyeaa@connect.ust.hk>; amit@kernel.org; arnd@arndb.de; linux-kernel@vger.kernel.org
主题: Re: 回复: drivers/char: suspected null-pointer dereference problem in handle_control_message

On Tue, 2021-10-26 at 11:51 +0000, YE Chengfeng wrote:
> Thanks for your reply.
> 
> Agree with you, seems that the branch at #line 1573 already handles this situation.
> 
> Another question, is it possible that port->name is null when show_port_name is invoked? I don't see any null-check there, could it be a null-dereference problem at #line 1282? Link is below.
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fblob%2Fmaster%2Fdrivers%2Fchar%2Fvirtio_console.c%23L1282&amp;data=04%7C01%7Ccyeaa%40connect.ust.hk%7Cf78df542482244275a4408d99a09c159%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C637710188967881644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TGc89qYoAYheHQOvDkMCpAtvNJz6muw9zC8nhQXAQ0E%3D&amp;reserved=0

Why don't you try it?

It's certainly possible that a port doesn't have a name.