[PATCH] can: check for null sk before deferencing it via the call to sock

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] can: check for null sk before deferencing it via the call to sock_net
@ 2017-09-08 15:02 Colin King
  2017-09-08 17:46 ` Oliver Hartkopp
  2017-10-17  5:49 ` Marc Kleine-Budde
  0 siblings, 2 replies; 5+ messages in thread
From: Colin King @ 2017-09-08 15:02 UTC (permalink / raw)
  To: Oliver Hartkopp, Marc Kleine-Budde, David S . Miller, linux-can,
	netdev
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

The assignment of net via call sock_net will dereference sk. This
is performed before a sanity null check on sk, so there could be
a potential null dereference on the sock_net call if sk is null.
Fix this by assigning net after the sk null check. Also replace
the sk == NULL with the more usual !sk idiom.

Detected by CoverityScan CID#1431862 ("Dereference before null check")

Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM protocol")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/can/bcm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 47a8748d953a..a3791674b8ce 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk)
 static int bcm_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
-	struct net *net = sock_net(sk);
+	struct net *net;
 	struct bcm_sock *bo;
 	struct bcm_op *op, *next;
 
-	if (sk == NULL)
+	if (!sk)
 		return 0;
 
+	net = sock_net(sk);
 	bo = bcm_sk(sk);
 
 	/* remove bcm_ops, timer, rx_unregister(), etc. */
-- 
2.14.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] can: check for null sk before deferencing it via the call to sock_net
  2017-09-08 15:02 [PATCH] can: check for null sk before deferencing it via the call to sock_net Colin King
@ 2017-09-08 17:46 ` Oliver Hartkopp
  2017-10-16 16:37   ` Josh Boyer
  2017-10-17  5:49 ` Marc Kleine-Budde
  1 sibling, 1 reply; 5+ messages in thread
From: Oliver Hartkopp @ 2017-09-08 17:46 UTC (permalink / raw)
  To: Colin King, Marc Kleine-Budde, David S . Miller, linux-can,
	netdev
  Cc: kernel-janitors, linux-kernel



On 09/08/2017 05:02 PM, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> The assignment of net via call sock_net will dereference sk. This
> is performed before a sanity null check on sk, so there could be
> a potential null dereference on the sock_net call if sk is null.
> Fix this by assigning net after the sk null check. Also replace
> the sk == NULL with the more usual !sk idiom.
> 
> Detected by CoverityScan CID#1431862 ("Dereference before null check")
> 
> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM protocol")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>


Thanks Collin!

> ---
>   net/can/bcm.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 47a8748d953a..a3791674b8ce 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk)
>   static int bcm_release(struct socket *sock)
>   {
>   	struct sock *sk = sock->sk;
> -	struct net *net = sock_net(sk);
> +	struct net *net;
>   	struct bcm_sock *bo;
>   	struct bcm_op *op, *next;
>   
> -	if (sk == NULL)
> +	if (!sk)
>   		return 0;
>   
> +	net = sock_net(sk);
>   	bo = bcm_sk(sk);
>   
>   	/* remove bcm_ops, timer, rx_unregister(), etc. */
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] can: check for null sk before deferencing it via the call to sock_net
  2017-09-08 17:46 ` Oliver Hartkopp
@ 2017-10-16 16:37   ` Josh Boyer
  2017-10-16 17:32     ` Oliver Hartkopp
  0 siblings, 1 reply; 5+ messages in thread
From: Josh Boyer @ 2017-10-16 16:37 UTC (permalink / raw)
  To: Oliver Hartkopp
  Cc: Colin King, Marc Kleine-Budde, David S . Miller, linux-can,
	netdev, kernel-janitors, Linux-Kernel@Vger. Kernel. Org

On Fri, Sep 8, 2017 at 1:46 PM, Oliver Hartkopp <socketcan@hartkopp.net> wrote:
>
>
> On 09/08/2017 05:02 PM, Colin King wrote:
>>
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> The assignment of net via call sock_net will dereference sk. This
>> is performed before a sanity null check on sk, so there could be
>> a potential null dereference on the sock_net call if sk is null.
>> Fix this by assigning net after the sk null check. Also replace
>> the sk == NULL with the more usual !sk idiom.
>>
>> Detected by CoverityScan CID#1431862 ("Dereference before null check")
>>
>> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM
>> protocol")
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>
>
> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>

I don't see this one queued up in the net or net-next trees.  Did it
fall through the cracks or did it get queued up elsewhere?  Seems like
it's a good candidate to get into 4.14?

josh

>
>
> Thanks Collin!
>
>
>> ---
>>   net/can/bcm.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/can/bcm.c b/net/can/bcm.c
>> index 47a8748d953a..a3791674b8ce 100644
>> --- a/net/can/bcm.c
>> +++ b/net/can/bcm.c
>> @@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk)
>>   static int bcm_release(struct socket *sock)
>>   {
>>         struct sock *sk = sock->sk;
>> -       struct net *net = sock_net(sk);
>> +       struct net *net;
>>         struct bcm_sock *bo;
>>         struct bcm_op *op, *next;
>>   -     if (sk == NULL)
>> +       if (!sk)
>>                 return 0;
>>   +     net = sock_net(sk);
>>         bo = bcm_sk(sk);
>>         /* remove bcm_ops, timer, rx_unregister(), etc. */
>>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] can: check for null sk before deferencing it via the call to sock_net
  2017-10-16 16:37   ` Josh Boyer
@ 2017-10-16 17:32     ` Oliver Hartkopp
  0 siblings, 0 replies; 5+ messages in thread
From: Oliver Hartkopp @ 2017-10-16 17:32 UTC (permalink / raw)
  To: Josh Boyer
  Cc: Colin King, Marc Kleine-Budde, David S . Miller, linux-can,
	netdev, kernel-janitors, Linux-Kernel@Vger. Kernel. Org

On 10/16/2017 06:37 PM, Josh Boyer wrote:
> On Fri, Sep 8, 2017 at 1:46 PM, Oliver Hartkopp <socketcan@hartkopp.net> wrote:
>>
>>
>> On 09/08/2017 05:02 PM, Colin King wrote:
>>>
>>> From: Colin Ian King <colin.king@canonical.com>
>>>
>>> The assignment of net via call sock_net will dereference sk. This
>>> is performed before a sanity null check on sk, so there could be
>>> a potential null dereference on the sock_net call if sk is null.
>>> Fix this by assigning net after the sk null check. Also replace
>>> the sk == NULL with the more usual !sk idiom.
>>>
>>> Detected by CoverityScan CID#1431862 ("Dereference before null check")
>>>
>>> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM
>>> protocol")
>>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>>
>>
>> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
> 
> I don't see this one queued up in the net or net-next trees.  Did it
> fall through the cracks or did it get queued up elsewhere?  Seems like
> it's a good candidate to get into 4.14?

It definitely is!

Marc is our responsible guy for CAN related upstreams - but he seems to 
be busy as I already poked him here:

https://marc.info/?l=linux-can&m=150771819505097&w=2

If he doesn't send a pull request by beginning of next week, I would ask 
Dave to grab these patches - to get them into 4.14.

Best regards,
Oliver

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] can: check for null sk before deferencing it via the call to sock_net
  2017-09-08 15:02 [PATCH] can: check for null sk before deferencing it via the call to sock_net Colin King
  2017-09-08 17:46 ` Oliver Hartkopp
@ 2017-10-17  5:49 ` Marc Kleine-Budde
  1 sibling, 0 replies; 5+ messages in thread
From: Marc Kleine-Budde @ 2017-10-17  5:49 UTC (permalink / raw)
  To: Colin King, Oliver Hartkopp, David S . Miller, linux-can, netdev
  Cc: kernel-janitors, linux-kernel

[-- Attachment #1.1: Type: text/plain, Size: 950 bytes --]

On 09/08/2017 05:02 PM, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> The assignment of net via call sock_net will dereference sk. This
> is performed before a sanity null check on sk, so there could be
> a potential null dereference on the sock_net call if sk is null.
> Fix this by assigning net after the sk null check. Also replace
> the sk == NULL with the more usual !sk idiom.
> 
> Detected by CoverityScan CID#1431862 ("Dereference before null check")
> 
> Fixes: 384317ef4187 ("can: network namespace support for CAN_BCM protocol")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Applied to can.

Tnx,
Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-10-17  5:49 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-08 15:02 [PATCH] can: check for null sk before deferencing it via the call to sock_net Colin King
2017-09-08 17:46 ` Oliver Hartkopp
2017-10-16 16:37   ` Josh Boyer
2017-10-16 17:32     ` Oliver Hartkopp
2017-10-17  5:49 ` Marc Kleine-Budde

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).