* static analysis bug report: staging r8712u memcpy of uninitialized variable
@ 2019-03-18 11:20 Colin Ian King
2019-03-20 8:58 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Colin Ian King @ 2019-03-18 11:20 UTC (permalink / raw)
To: Larry Finger; +Cc: linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org
Hi,
Static analysis with cppcheck found a couple of interesting issues with
memcpy'ing of an uninitialized variable. Two occurrences of the same
issue are found in drivers/staging/rtl8712/rtl8712_cmd.c in functions
read_bbreg_hdl and read_rfreg_hdl.
For example:
static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
{
u32 val;
void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj
*pcmd);
struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
if (pcmd->rsp && pcmd->rspsz > 0)
memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
....
}
I don't understand why the contents of val is being memcpy'd to
pcmd->rsp, especially when val is uninitialized and hence contains
garbage. Any ideas?
Colin
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: static analysis bug report: staging r8712u memcpy of uninitialized variable 2019-03-18 11:20 static analysis bug report: staging r8712u memcpy of uninitialized variable Colin Ian King @ 2019-03-20 8:58 ` Dan Carpenter 2019-03-21 6:26 ` [PATCH] staging: rtl8712: uninitialized memory in read_bbreg_hdl() Dan Carpenter 0 siblings, 1 reply; 4+ messages in thread From: Dan Carpenter @ 2019-03-20 8:58 UTC (permalink / raw) To: Colin Ian King Cc: Larry Finger, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org On Mon, Mar 18, 2019 at 11:20:51AM +0000, Colin Ian King wrote: > Hi, > > Static analysis with cppcheck found a couple of interesting issues with > memcpy'ing of an uninitialized variable. Two occurrences of the same > issue are found in drivers/staging/rtl8712/rtl8712_cmd.c in functions > read_bbreg_hdl and read_rfreg_hdl. > > For example: > > static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) > { > u32 val; > void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj > *pcmd); > struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; > > if (pcmd->rsp && pcmd->rspsz > 0) > memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); > > .... > > } > > I don't understand why the contents of val is being memcpy'd to > pcmd->rsp, especially when val is uninitialized and hence contains > garbage. Any ideas? > The concern would be that it's reading a user specified amount of stack memory to pcmd->rsp and that sounds like an information leak. The pcmd_callback function pointer is always r8712_getbbrfreg_cmdrsp_callback() which frees pcmd->parmbuf and pcmd but leaks pcmd->rsp. I don't see a way for anyone to access the ->rsp memory so probably there aren't any security implications. Anyway, let me send a patch. regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] staging: rtl8712: uninitialized memory in read_bbreg_hdl() 2019-03-20 8:58 ` Dan Carpenter @ 2019-03-21 6:26 ` Dan Carpenter 2019-03-21 6:45 ` Dan Carpenter 0 siblings, 1 reply; 4+ messages in thread From: Dan Carpenter @ 2019-03-21 6:26 UTC (permalink / raw) To: Larry Finger, Colin Ian King Cc: Florian Schilhabel, Greg Kroah-Hartman, Michael Straube, devel, linux-kernel Colin King reported a bug in read_bbreg_hdl(): memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); The problem is that "val" is uninitialized. This code is obviously not useful, but so far as I can tell "pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful either. For now the easiest fix is to just call r8712_free_cmd_obj() and return. Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") Reported-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/staging/rtl8712/rtl8712_cmd.c | 10 +--------- drivers/staging/rtl8712/rtl8712_cmd.h | 2 +- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h index 92fb77666d44..1ef86b8c592f 100644 --- a/drivers/staging/rtl8712/rtl8712_cmd.h +++ b/drivers/staging/rtl8712/rtl8712_cmd.h @@ -140,7 +140,7 @@ enum rtl8712_h2c_cmd { static struct _cmd_callback cmd_callback[] = { {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/ {GEN_CMD_CODE(_Write_MACREG), NULL}, - {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback}, + {GEN_CMD_CODE(_Read_BBREG), NULL}, {GEN_CMD_CODE(_Write_BBREG), NULL}, {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback}, {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/ diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c index 1920d02f7c9f..8c36acedf507 100644 --- a/drivers/staging/rtl8712/rtl8712_cmd.c +++ b/drivers/staging/rtl8712/rtl8712_cmd.c @@ -147,17 +147,9 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf) static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) { - u32 val; - void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; - if (pcmd->rsp && pcmd->rspsz > 0) - memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); - pcmd_callback = cmd_callback[pcmd->cmdcode].callback; - if (!pcmd_callback) - r8712_free_cmd_obj(pcmd); - else - pcmd_callback(padapter, pcmd); + r8712_free_cmd_obj(pcmd); return H2C_SUCCESS; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] staging: rtl8712: uninitialized memory in read_bbreg_hdl() 2019-03-21 6:26 ` [PATCH] staging: rtl8712: uninitialized memory in read_bbreg_hdl() Dan Carpenter @ 2019-03-21 6:45 ` Dan Carpenter 0 siblings, 0 replies; 4+ messages in thread From: Dan Carpenter @ 2019-03-21 6:45 UTC (permalink / raw) To: Larry Finger, Colin Ian King Cc: Florian Schilhabel, Greg Kroah-Hartman, Michael Straube, devel, linux-kernel On Thu, Mar 21, 2019 at 09:26:38AM +0300, Dan Carpenter wrote: > Colin King reported a bug in read_bbreg_hdl(): > > memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); > > The problem is that "val" is uninitialized. > > This code is obviously not useful, but so far as I can tell > "pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful > either. For now the easiest fix is to just call r8712_free_cmd_obj() > and return. > > Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") > Reported-by: Colin Ian King <colin.king@canonical.com> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/staging/rtl8712/rtl8712_cmd.c | 10 +--------- > drivers/staging/rtl8712/rtl8712_cmd.h | 2 +- > 2 files changed, 2 insertions(+), 10 deletions(-) > > diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h > index 92fb77666d44..1ef86b8c592f 100644 > --- a/drivers/staging/rtl8712/rtl8712_cmd.h > +++ b/drivers/staging/rtl8712/rtl8712_cmd.h > @@ -140,7 +140,7 @@ enum rtl8712_h2c_cmd { > static struct _cmd_callback cmd_callback[] = { > {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/ > {GEN_CMD_CODE(_Write_MACREG), NULL}, > - {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback}, > + {GEN_CMD_CODE(_Read_BBREG), NULL}, > {GEN_CMD_CODE(_Write_BBREG), NULL}, > {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback}, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/ The other place that calls r8712_getbbrfreg_cmdrsp_callback() is read_rfreg_hdl(). For GEN_CMD_CODE(_Read_RFREG) we don't allocate the ->rsp pointer so we can't kfree() it. The read_rfreg_hdl() functions calls r8712_free_cmd_obj() which kfrees it. But fortunately that is dead code. This code is obviously staging code... It would be fairly straight forward to get rid of the cmd_callback[] array. regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-03-21 6:45 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-03-18 11:20 static analysis bug report: staging r8712u memcpy of uninitialized variable Colin Ian King 2019-03-20 8:58 ` Dan Carpenter 2019-03-21 6:26 ` [PATCH] staging: rtl8712: uninitialized memory in read_bbreg_hdl() Dan Carpenter 2019-03-21 6:45 ` Dan Carpenter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox