Re: [Drbd-dev] [PATCH 2/2] block: drbd: Fix a possible null-pointer dereference in is_valid_state()

Roland Kammerer <roland.kammerer@xxxxxxxxxx> · Wed, 24 Jul 2019 13:37:20 +0200

On Wed, Jul 24, 2019 at 11:49:26AM +0800, Jia-Ju Bai wrote:
> In is_valid_state(), there is an if statement on line 839 to check
> whether nc is NULL:
>     if (nc)
> 
> When nc is NULL, it is used on line 880:
>     (nc->verify_alg[0] == 0)
> 
> Thus, a possible null-pointer dereference may occur.
> 
> To fix this bug, nc is also checked on line 880.
> 
> This bug is found by a static analysis tool STCheck written by us.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
> ---
>  drivers/block/drbd/drbd_state.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/block/drbd/drbd_state.c b/drivers/block/drbd/drbd_state.c
> index eeaa3b49b264..3cf477e9cf6a 100644
> --- a/drivers/block/drbd/drbd_state.c
> +++ b/drivers/block/drbd/drbd_state.c
> @@ -877,7 +877,7 @@ is_valid_state(struct drbd_device *device, union drbd_state ns)
>  		rv = SS_CONNECTED_OUTDATES;
>  
>  	else if ((ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) &&
> -		 (nc->verify_alg[0] == 0))
> +		 (nc && nc->verify_alg[0] == 0))
>  		rv = SS_NO_VERIFY_ALG;

AFAIK it is "impossible" to reach such a DRBD state without having a
valid net conf. Anyways, a check is a good idea, but the logic is wrong,
I would propose something like this:

 	else if ((ns.conn == C_VERIFY_S || ns.conn == C_VERIFY_T) &&
-		 (nc->verify_alg[0] == 0))
+		 (!nc || nc->verify_alg[0] == 0))
 		rv = SS_NO_VERIFY_ALG;

Regards, rck