Re: CVE-2023-52605: ACPI: extlog: fix NULL pointer dereference check

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Lee Jones <lee@kernel.org>
To: Prarit Bhargava <prarit@redhat.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>,
	cve@kernel.org, linux-kernel@vger.kernel.org,
	linux-cve-announce@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Subject: Re: CVE-2023-52605: ACPI: extlog: fix NULL pointer dereference check
Date: Thu, 14 Mar 2024 11:01:10 +0000	[thread overview]
Message-ID: <20240314110110.GL1522089@google.com> (raw)
In-Reply-To: <7591f33e-d64f-49c5-b7c8-deda2b6f0fde@redhat.com>

On Mon, 11 Mar 2024, Prarit Bhargava wrote:

> On 3/10/24 04:10, Vegard Nossum wrote:
> > 
> > (Added author/maintainer to Cc)
> > 
> > On 06/03/2024 07:46, Greg Kroah-Hartman wrote:
> > > Description
> > > ===========
> > > 
> > > In the Linux kernel, the following vulnerability has been resolved:
> > > 
> > > ACPI: extlog: fix NULL pointer dereference check
> > > 
> > > The gcc plugin -fanalyzer [1] tries to detect various
> > > patterns of incorrect behaviour.  The tool reports:
> > > 
> > > drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’:
> > > drivers/acpi/acpi_extlog.c:307:12: warning: check of
> > > ‘extlog_l1_addr’ for NULL after already dereferencing it
> > > [-Wanalyzer-deref-before-check]
> > >      |
> > >      |  306 |         ((struct extlog_l1_head
> > > *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN;
> > >      |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
> > >      |      |                                                  |
> > >      |      |                                                  (1)
> > > pointer ‘extlog_l1_addr’ is dereferenced here
> > >      |  307 |         if (extlog_l1_addr)
> > >      |      |            ~
> > >      |      |            |
> > >      |      |            (2) pointer ‘extlog_l1_addr’ is checked for
> > > NULL here but it was already dereferenced at (1)
> > >      |
> > > 
> > > Fix the NULL pointer dereference check in extlog_exit().
> > > 
> > > The Linux kernel CVE team has assigned CVE-2023-52605 to this issue.
> > 
> > This code is in an __exit function:
> > 
> > diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c
> > index e120a96e1eaee..193147769146e 100644
> > --- a/drivers/acpi/acpi_extlog.c
> > +++ b/drivers/acpi/acpi_extlog.c
> > @@ -303,9 +303,10 @@ err:
> >   static void __exit extlog_exit(void)
> >   {
> >       mce_unregister_decode_chain(&extlog_mce_dec);
> > -    ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN;
> > -    if (extlog_l1_addr)
> > +    if (extlog_l1_addr) {
> > +        ((struct extlog_l1_head *)extlog_l1_addr)->flags &=
> > ~FLAG_OS_OPTIN;
> >           acpi_os_unmap_iomem(extlog_l1_addr, l1_size);
> > +    }
> >       if (elog_addr)
> >           acpi_os_unmap_iomem(elog_addr, elog_size);
> >       release_mem_region(elog_base, elog_size);
> > 
> > This can only run when you unload a module, which is a privileged
> > operation (restricted to CAP_SYS_MODULE).
> > 
> > Moreover, extlog_l1_addr is only ever assigned in the corresponding
> > module init function, and it looks like it will never be NULL if the
> > module was loaded successfully, at least on a recent mainline kernel.
> > 
> > Since the module exit won't be called unless module init succeeded, I
> > don't see a way to trigger this bug. Is this a vulnerability?
> > 
> 
> This is certainly not a CVE.
> 
> > It might be better to just delete the NULL check altogether.
> > 
> > As usual, I could be wrong...
> > 
> 
> When I made this code change I thought the same thing: Perhaps it's better
> to remove the NULL check given the status of the code.  I assumed that the
> check was there as a failsafe on unload.

If Rafael agrees with you both, I'd be happy to revoke its CVE status.

-- 
Lee Jones [李琼斯]

next prev parent reply	other threads:[~2024-03-14 11:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <2024030647-CVE-2023-52605-292a@gregkh>
2024-03-10  8:10 ` CVE-2023-52605: ACPI: extlog: fix NULL pointer dereference check Vegard Nossum
2024-03-11 12:14   ` Prarit Bhargava
2024-03-14 11:01     ` Lee Jones [this message]
2024-03-15 19:24       ` Wysocki, Rafael J
2024-03-18 15:13         ` Lee Jones

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240314110110.GL1522089@google.com \
    --to=lee@kernel.org \
    --cc=cve@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-cve-announce@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=prarit@redhat.com \
    --cc=rafael.j.wysocki@intel.com \
    --cc=vegard.nossum@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox