public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed
* Potentially invalid memory accesses drivers/message/fusion/mptbase.c
@ 2017-07-20 23:28 Shaobo
  2017-07-20 23:53 ` Bart Van Assche
  0 siblings, 1 reply; 2+ messages in thread
From: Shaobo @ 2017-07-20 23:28 UTC (permalink / raw)
  To: DL-MPTFusionLinux, MPT-FusionLinux.pdl, linux-scsi; +Cc: kashyap.desai

Hi there,

My name is Shaobo He and I am a graduate student at University of Utah. 
I am using a static analysis tool to search for null pointer 
dereferences and came across a couple of potentially invalid memory 
accesses in the file drivers/message/fusion/mptbase.c: in function 
`mpt_turbo_reply`, variable `mf` is initialized to NULL. If the case 
`MPI_CONTEXT_REPLY_TYPE_SCSI_TARGET` is taken, then `mf` is not updated 
to a non-NULL value and then may get dereferenced in function 
`mpt_free_msg_frame`. However, there are a couple of conditions that can 
make the error path infeasible. I was wondering if you could confirm 
this.

Please let me know if it makes sense. I am looking forward to your 
reply.

Best,
Shaobo

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Potentially invalid memory accesses drivers/message/fusion/mptbase.c
  2017-07-20 23:28 Potentially invalid memory accesses drivers/message/fusion/mptbase.c Shaobo
@ 2017-07-20 23:53 ` Bart Van Assche
  0 siblings, 0 replies; 2+ messages in thread
From: Bart Van Assche @ 2017-07-20 23:53 UTC (permalink / raw)
  To: linux-scsi@vger.kernel.org, DL-MPTFusionLinux@lsi.com,
	shaobo@cs.utah.edu, MPT-FusionLinux.pdl@broadcom.com
  Cc: kashyap.desai@lsi.com

On Thu, 2017-07-20 at 17:28 -0600, Shaobo wrote:
> My name is Shaobo He and I am a graduate student at University of Utah. 
> I am using a static analysis tool to search for null pointer 
> dereferences and came across a couple of potentially invalid memory 
> accesses in the file drivers/message/fusion/mptbase.c: in function 
> `mpt_turbo_reply`, variable `mf` is initialized to NULL. If the case 
> `MPI_CONTEXT_REPLY_TYPE_SCSI_TARGET` is taken, then `mf` is not updated 
> to a non-NULL value and then may get dereferenced in function 
> `mpt_free_msg_frame`. However, there are a couple of conditions that can 
> make the error path infeasible. I was wondering if you could confirm 
> this.

Hello Shaobo,

Which static analysis tool are you using? Is it less or more powerful than
Coverity? If it is not more powerful, are you aware that a full Coverity
scan of the Linux kernel source code is already available at
https://scan.coverity.com/projects/linux? The issue you reported was first
detected by Coverity on February 24th, 2006 (more than ten years ago). In
the aforementioned database Coverity assigned ID 100124 to that issue.

Bart.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-07-20 23:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-20 23:28 Potentially invalid memory accesses drivers/message/fusion/mptbase.c Shaobo
2017-07-20 23:53 ` Bart Van Assche

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox