Re: [PATCH][RESEND] Fix a potential NULL pointer deref in the aic7xxx, ahc_print_register() function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



All of this logic was simplified back in '05 in the BSD drivers by adding
this to the top of the function:

       u_int   dummy_column;
if (cur_column == NULL) {
               dummy_column = 0;
               cur_column = &dummy_column;
       }

and then stripping out the cur_column == NULL checks in the routine.

--
Justin

Jesper Juhl wrote:
On 04/08/07, James Bottomley <James.Bottomley@xxxxxxxxxxxx> wrote:
On Sat, 2007-08-04 at 20:30 +0200, Jesper Juhl wrote:
(resend of patch previously submitted on 28-Jul-2007 23:06)


Ehlo,

The Coverity checker noticed that we have a potential NULL pointer
deref in drivers/scsi/aic7xxx/aic7xxx_core.c::ahc_print_register().
This patch handles it by adding the same test against NULL that is
used elsewhere in the same function.
It's on my list of things to look at ... but not very high.  I suspect
it actually isn't triggerable, but if you can tell me how, it will save
me from looking.


Here's what Coverity reported :
...
6525 	int
6526 	ahc_print_register(ahc_reg_parse_entry_t *table, u_int num_entries,
6527 			   const char *name, u_int address, u_int value,
6528 			   u_int *cur_column, u_int wrap_point)
6529 	{
6530 		int	printed;
6531 		u_int	printed_mask;
6532 	

Event var_compare_op: Added "cur_column" due to comparison "cur_column != 0"
Also see events: [var_deref_op]
At conditional (1): "cur_column != 0" taking false path

6533 		if (cur_column != NULL && *cur_column >= wrap_point) {
6534 			printf("\n");
6535 			*cur_column = 0;
6536 		}
6537 		printed = printf("%s[0x%x]", name, value);

At conditional (2): "table == 0" taking true path

6538 		if (table == NULL) {
6539 			printed += printf(" ");

Event var_deref_op: Variable "cur_column" tracked as NULL was dereferenced.
Also see events: [var_compare_op]

6540 			*cur_column += printed;
6541 			return (printed);
6542 		}
...

So it requires a NULL 'table' and a != NULL 'cur_column' to trigger.
Whether or not that's actually possible I'm not sure, but it seems
safer to guard against it :)


By the way; if this can actually be triggered, then
ahd_print_register() has the same problem.


-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux