Re: [PATCH v2 1/1] drivers/usb/storage: NULL pointer dereference [null-pointer-deref] (CWE 476) problem

Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> · Sat, 17 Mar 2018 09:42:16 -0400 (EDT)

On Fri, 16 Mar 2018, Joe Moriarty wrote:

> The Parfait (version 2.1.0) static code analysis tool found the
> following NULL pointer dereference problem.
> 
> dev_to_shost() in include/scsi/scsi_host.h has the ability to return
> NULL if the scsi host device does not have the Scsi_host->parent
> field set.  With the possibilty of a NULL pointer being set for
> the Scsi_Host->parent field, calls to host_to_us() have to make
> sure the return pointer is not null.  Changes were made to check
> for a return value of NULL on calls to host_to_us().
> 
> Signed-off-by: Joe Moriarty <joe.moriarty@xxxxxxxxxx>
> Reviewed-by: Steven Sistare <steven.sistare@xxxxxxxxxx>
> Acked-by: Hakon Bugge <hakon.bugge@xxxxxxxxxx>
> ---
>  drivers/usb/storage/scsiglue.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
> index c267f2812a04..00a8cb005e83 100644
> --- a/drivers/usb/storage/scsiglue.c
> +++ b/drivers/usb/storage/scsiglue.c
> @@ -329,7 +329,18 @@ static int slave_configure(struct scsi_device *sdev)
>  
>  static int target_alloc(struct scsi_target *starget)
>  {
> -	struct us_data *us = host_to_us(dev_to_shost(starget->dev.parent));
> +	struct Scsi_Host *host;
> +	struct us_data *us;
> +
> +	host = dev_to_shost(starget->dev.parent);
> +	if (!host) {
> +		dev_dbg(&(starget)->dev,
> +			"SCSI Host not found, Error in %s: us = NULL\n",
> +			__func__);
> +		return -ENODEV;
> +	}
> +
> +	us = host_to_us(host);

NAK.  This condition can never happen; if it does then there's a bug in 
the SCSI core and the system _should_ oops.

This routine is called from only one place: scsi_alloc_target().  In 
that routine, starget->dev.parent is explicitly set to point at a 
Scsi_Host.  The NULL return you're worried about cannot happen in that 
case, because the "while" loop will not execute at all:

static inline struct Scsi_Host *dev_to_shost(struct device *dev)
{
        while (!scsi_is_host_device(dev)) {
                if (!dev->parent)
                        return NULL;
                dev = dev->parent;
        }
        return container_of(dev, struct Scsi_Host, shost_gendev);
}

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html