From: Rodrigo Vivi <rodrigo.vivi@intel.com>
To: Shaobo He <shaobo@cs.utah.edu>
Cc: intel-gfx@lists.freedesktop.org
Subject: Re: Potential NULL pointer dereference in intel_crt_get_edid
Date: Tue, 19 Mar 2019 10:12:54 -0700 [thread overview]
Message-ID: <20190319171254.GE27875@intel.com> (raw)
In-Reply-To: <aadc7424-cb20-7ed7-cbd5-4fc9a055feac@cs.utah.edu>
On Tue, Mar 19, 2019 at 10:53:53AM -0600, Shaobo He wrote:
> Thank you very much for your reply. Do you mean if I track the argument to
> the callers, I should be able to figure out that the pin is always valid? I
> think I have two questions for this approach. First, does it mean that the
> branch returning NULL is practically dead code?
Yes, that's the case.
Only possibility that we could reach that is if when we are adding
a new platform but we make some mistake on defining the pin table.
so it is there just in case.
> Second, the driver code, as
> it appears to me, does not have well-defined entry points like the main
> function.
welcome! :)
it is complex indeed. It has the probe and entry points would be the ioctls,
interrups, sysfs, debugfs, etc...
my suggestion is to use something like cscope/ctags to navigate and try to
make some sense of the functions around that particular code you are looking at.
> So if I manage to track the arguments to a function whose caller
> is not explicit (e.g., it's address is taken in a structure), should I still
> assume that the pin is valid when this function is used?
on this particular case yes. in general, use the cscope on the vfunc call to see
when it gets called...
>
> Thanks,
> Shaobo
> On 2019/3/19 2:32, Jani Nikula wrote:
> > On Mon, 18 Mar 2019, Shaobo He <shaobo@cs.utah.edu> wrote:
> > > I see. In light of this commit, is it a better solution than adding NULL-checks
> > > is to replace the if branch conditioned by `WARN_ON` with simply `WARN` like the
> > > following,
> > >
> > > struct i2c_adapter *intel_gmbus_get_adapter(struct drm_i915_private *dev_priv,
> > > unsigned int pin)
> > > {
> > > WARN(!intel_gmbus_is_valid_pin(dev_priv, pin), "Invalid pin: %d\n", pin);
> > >
> > > return &dev_priv->gmbus[pin].adapter;
> > > }
> >
> > So all of this discussion is hypothetical in the sense that it really
> > should never happen. You can track down the args passed to
> > intel_gmbus_get_adapter(), while the static analyzer is unable to do
> > that.
> >
> > BR,
> > Jani.
> >
> >
> > >
> > > Shaobo
> > > On 3/18/19 5:53 PM, Rodrigo Vivi wrote:
> > > > On Mon, Mar 18, 2019 at 05:39:48PM -0600, Shaobo He wrote:
> > > > > Hi Rodrigo,
> > > > >
> > > > > Sorry I'm a bit lost here. May I ask where the `WARN` is?
> > > >
> > > > along with the return NULL
> > > >
> > > > struct i2c_adapter *intel_gmbus_get_adapte()
> > > > if (WARN_ON(!intel_gmbus_is_valid_pin(dev_priv, pin)))
> > > > return NULL;
> > > >
> > > > >
> > > > > Thanks,
> > > > > Shaobo
> > > > > On 3/18/19 5:26 PM, Rodrigo Vivi wrote:
> > > > > > Hi Shaobo,
> > > > > >
> > > > > > n Mon, Mar 18, 2019 at 05:01:10PM -0600, Shaobo He wrote:
> > > > > > > Hello everyone,
> > > > > > >
> > > > > > > My name is Shaobo He and I am a graduate student at University of Utah. I am
> > > > > > > using a static analysis tool to search for null pointer dereferences and
> > > > > > > came across a potentially invalid memory access in the file
> > > > > > > drivers/gpu/drm/i915/intel_crt.c: in function `intel_crt_detect_ddc`,
> > > > > > > function `intel_gmbus_get_adapter` can return a NULL pointer which is
> > > > > >
> > > > > > if this happens we've done a terrible job on defining the platform...
> > > > > >
> > > > > > > dereferenced by the call to `drm_get_edid` or `intel_gmbus_is_forced_bit`.
> > > > > >
> > > > > > but it seems you are right... this will reach i2c_transfer in the end
> > > > > > and it will break everything after we gave the Warning...
> > > > > >
> > > > > > > It seems that the return value of `intel_gmbus_get_adapter` is never
> > > > > > > NULL-checked. If so, it would be better to replace the branch to return a
> > > > > > > NULL pointer with something like `BUG_ON`.
> > > > > >
> > > > > > what about just adding if (!i2c) return false
> > > > > > instead of BUG.
> > > > > >
> > > > > > We already have the WARN to debug if this case ever happens.
> > > > > >
> > > > > > Thanks,
> > > > > > Rodrigo.
> > > > > >
> > > > > > >
> > > > > > > Please let me know if it makes sense. I am looking forward to your reply.
> > > > > > >
> > > > > > > Best,
> > > > > > > Shaobo
> >
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
prev parent reply other threads:[~2019-03-19 17:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-18 23:01 Potential NULL pointer dereference in intel_crt_get_edid Shaobo He
2019-03-18 23:26 ` Rodrigo Vivi
2019-03-18 23:39 ` Shaobo He
2019-03-18 23:53 ` Rodrigo Vivi
2019-03-19 0:24 ` Shaobo He
2019-03-19 8:32 ` Jani Nikula
2019-03-19 16:53 ` Shaobo He
2019-03-19 17:12 ` Rodrigo Vivi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190319171254.GE27875@intel.com \
--to=rodrigo.vivi@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=shaobo@cs.utah.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox