From: Florian Fainelli <f.fainelli@gmail.com>
To: Arend Van Spriel <arend.vanspriel@broadcom.com>,
brcm80211-dev-list.pdl@broadcom.com
Cc: linux-wireless@vger.kernel.org, pieterpg@broadcom.com,
kvalo@codeaurora.org, hante.meuleman@broadcom.com
Subject: Re: [PATCH 0/4] brcm80211: Misc coverity fixes
Date: Tue, 19 Jul 2016 11:30:32 -0700 [thread overview]
Message-ID: <578E71C8.1050003@gmail.com> (raw)
In-Reply-To: <53a36e85-37ad-10a5-81fc-40ce4efa6a65@broadcom.com>
On 07/19/2016 11:21 AM, Arend Van Spriel wrote:
> On 19-7-2016 18:41, Florian Fainelli wrote:
>> On 07/19/2016 02:20 AM, Arend Van Spriel wrote:
>>> + Bob
>>>
>>> On 19-7-2016 1:24, Florian Fainelli wrote:
>>>> Hi,
>>>>
>>>> This patch series addresses several coverity issues, they all seemed relevant
>>>> to me.
>>>
>>> Hi Florian,
>>>
>>> Been a while so nice to see coverity fixes popping up. Actually
>>> something that I have on my todo list to add our brcm80211 to coverity
>>> within Broadcom. So being curious as to whether this comes from a public
>>> coverity server like scan.coverity.com. Maybe bit redundant to setup
>>> internally if there is a good coverity analysis publicly available.
>>
>> This is coming from the public coverity instance, if you create an
>> account there I could transfer to you the other bugs that affect the
>> brcm80211 drivers (hint: there is a ton of of them because of
>> brcmf_fil_iovar_int_get and friends).
>
> I did create an account and noticed "Broadcom Linux Kernel Open Source
> Repository" project. Anyways, let me have it :-p
>
>>>
>>>> There is also a ton of warnings in Coverity caused by brcmf_fil_iovar_int_get()
>>>> and friends because of the initial access:
>>>>
>>>> __le32 data_le = cpu_to_le32(*data) which can utilize unitialized memory. I am
>>>> not sure if we actually care about any kind of initial, value, but if we don't,
>>>> then the fix should be fairly obvious.
>>>
>>> If we are talking only about "get" variant than we mostly don't care.
>>> Some getters support filter variables to be passed towards firmware. I
>>> have not looked at the analysis to give any judgement here.
>>
>> Alright, do you have a good way to test a patch that would just zero
>> initialize the data variable in brcmf_fil_iovar_int_get()? If so, I will
>> submit one with the appropriate CID references.
>
> But why would we care to zero the data when firmware simply overwrites
> it. These control messages are not high-prio so we can burn some cycles
> to initialize the variable, but to me this is a false positive.
We have something like this all over the place:
func() {
u32 val;
brcmf_fil_iovar_int_get(..., &val, sizeof(val));
}
brcmf_fil_iovar_int_get(.., const u32 *data, size_t len)
{
__le32 data_le = cpu_to_le32(*data);
...
}
So here data_le also has an uninitialized value, and later on, this:
buflen = brcmf_create_iovar(name, data, len, drvr->proto_buf,
sizeof(drvr->proto_buf));
}
And this function does this:
static u32
brcmf_create_iovar(char *name, const char *data, u32 datalen,
char *buf, u32 buflen)
{
u32 len;
len = strlen(name) + 1;
if ((len + datalen) > buflen)
return 0;
memcpy(buf, name, len);
/* append data onto the end of the name string */
if (data && datalen)
memcpy(&buf[len], data, datalen);
return len + datalen;
}
We are essentially copying into buf an uninitialized value coming from
the stack, which seems like a problem to me.
--
Florian
next prev parent reply other threads:[~2016-07-19 18:30 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-18 23:24 [PATCH 0/4] brcm80211: Misc coverity fixes Florian Fainelli
2016-07-18 23:24 ` [PATCH 1/4] brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain Florian Fainelli
2016-07-19 10:19 ` Arend Van Spriel
2016-07-19 18:14 ` [1/4] " Kalle Valo
2016-07-18 23:24 ` [PATCH 2/4] brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill Florian Fainelli
2016-07-19 9:25 ` Arend Van Spriel
2016-07-18 23:24 ` [PATCH 3/4] brcmsmac: Fix invalid memcpy() size in brcms_c_d11hdrs_mac80211 Florian Fainelli
2016-07-19 10:38 ` Arend Van Spriel
2016-07-19 12:40 ` Kalle Valo
2016-07-19 16:42 ` Florian Fainelli
2016-07-19 18:26 ` Arend Van Spriel
2016-07-18 23:24 ` [PATCH 4/4] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Florian Fainelli
2016-07-19 10:26 ` Arend Van Spriel
2016-07-19 9:20 ` [PATCH 0/4] brcm80211: Misc coverity fixes Arend Van Spriel
2016-07-19 16:41 ` Florian Fainelli
2016-07-19 18:21 ` Arend Van Spriel
2016-07-19 18:30 ` Florian Fainelli [this message]
2016-07-19 19:36 ` Arend Van Spriel
2016-07-19 20:09 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=578E71C8.1050003@gmail.com \
--to=f.fainelli@gmail.com \
--cc=arend.vanspriel@broadcom.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=hante.meuleman@broadcom.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pieterpg@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).