| Message ID | 20220124172120.62828-1-zhou1615@umn.edu (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
| Series | scsi: mpt3sas: FIx a NULL pointer dereference bug in mpt3sas_transport_port_add() | expand |
On Tue, Jan 25, 2022 at 01:21:20AM +0800, Zhou Qingyang wrote: > In mpt3sas_transport_port_add(), sas_end_device_alloc() is assigned to rphy > and there is a dereference of it. sas_end_device_alloc() could return NULL > on failure of allocation, which could introduce a NULL pointer dereference > bug. > > The same as sas_expander_alloc(). > > Fix this bug by adding a NULL check of rphy. > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code. > > Fixes: f92363d12359 ("mpt3sas: add new driver supporting 12GB SAS") > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> > --- > The analysis employs differential checking to identify inconsistent > security operations (e.g., checks or kfrees) between two code paths > and confirms that the inconsistent operations are not recovered in the > current function or the callers, so they constitute bugs. > > Note that, as a bug found by static analysis, it can be a false > positive or hard to trigger. Multiple researchers have cross-reviewed > the bug. > > drivers/scsi/mpt3sas/mpt3sas_transport.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c > index 0681daee6c14..1caa929cf8bc 100644 > --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c > +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c > @@ -823,6 +823,11 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, > hba_port->sas_address = > mpt3sas_port->remote_identify.sas_address; > } > + if (!rphy) { > + ioc_err(ioc, "failure at %s:%d/%s()!\n", > + __FILE__, __LINE__, __func__); > + goto out_fail; > + } > > rphy->identify = mpt3sas_port->remote_identify; > > -- > 2.25.1 > As stated before, umn.edu is still not allowed to contribute to the Linux kernel. Please work with your administration to resolve this issue.
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c index 0681daee6c14..1caa929cf8bc 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c @@ -823,6 +823,11 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, hba_port->sas_address = mpt3sas_port->remote_identify.sas_address; } + if (!rphy) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_fail; + } rphy->identify = mpt3sas_port->remote_identify;
In mpt3sas_transport_port_add(), sas_end_device_alloc() is assigned to rphy and there is a dereference of it. sas_end_device_alloc() could return NULL on failure of allocation, which could introduce a NULL pointer dereference bug. The same as sas_expander_alloc(). Fix this bug by adding a NULL check of rphy. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: f92363d12359 ("mpt3sas: add new driver supporting 12GB SAS") Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/scsi/mpt3sas/mpt3sas_transport.c | 5 +++++ 1 file changed, 5 insertions(+)