lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 7 Mar 2024 21:16:00 +0100
From: "Christian A. Ehrhardt" <lk@...e.de>
To: coverity-bot <keescook@...omium.org>
Cc: Jameson Thies <jthies@...gle.com>, Hans de Goede <hdegoede@...hat.com>,
	Fabrice Gasnier <fabrice.gasnier@...s.st.com>,
	Neil Armstrong <neil.armstrong@...aro.org>,
	linux-usb@...r.kernel.org, Benson Leung <bleung@...omium.org>,
	Saranya Gopal <saranya.gopal@...el.com>,
	Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
	Abhishek Pandit-Subedi <abhishekpandit@...omium.org>,
	Prashant Malani <pmalani@...omium.org>,
	Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
	linux-kernel@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
	linux-next@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: Coverity: ucsi_check_cable(): Null pointer dereferences


Hi,

On Thu, Mar 07, 2024 at 11:34:21AM -0800, coverity-bot wrote:
> Hello!
> 
> This is an experimental semi-automated report about issues detected by
> Coverity from a scan of next-20240307 as part of the linux-next scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
> 
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by commits:
> 
>   Tue Mar 5 13:11:08 2024 +0000
>     f896d5e8726c ("usb: typec: ucsi: Register SOP/SOP' Discover Identity Responses")
> 
> Coverity reported the following:
> 
> *** CID 1584245:  Null pointer dereferences  (FORWARD_NULL)
> drivers/usb/typec/ucsi/ucsi.c:1136 in ucsi_check_cable()
> 1130     	}
> 1131
> 1132     	ret = ucsi_register_cable(con);
> 1133     	if (ret < 0)
> 1134     		return ret;
> 1135
> vvv     CID 1584245:  Null pointer dereferences  (FORWARD_NULL)
> vvv     Passing "con" to "ucsi_get_cable_identity", which dereferences null "con->cable".
> 1136     	ret = ucsi_get_cable_identity(con);
> 1137     	if (ret < 0)
> 1138     		return ret;
> 1139
> 1140     	ret = ucsi_register_plug(con);
> 1141     	if (ret < 0)
> 
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):

This looks like a false positive to me. The code looks like this:

	if (con->cable)
		return 0;
	[ ... ]
	ret = ucsi_register_cable(con)
	if (ret < 0)
		return ret;
	ret = ucsi_get_cable_identity(con);
	[ ... ]

>From the con->cable check coverity concludes that con->cable is
initially NULL. Later ucsi_register_cable() initializes con->cable
if successful. Coverity seems to miss this and still thinks that
con->cable is NULL. Then converity correctly notices that
ucsi_get_cable_identity() dereferences con->cable and complains.

     regards  Christian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ