rt2x00: type bug in _rt2500usb_register_read()

Message ID	20151126115523.GD10556@mwanda (mailing list archive)
State	Accepted
Delegated to:	Kalle Valo
Headers	show Return-Path: <linux-wireless-owner@kernel.org> Date: Thu, 26 Nov 2015 14:55:23 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Stanislaw Gruszka <sgruszka@redhat.com> Cc: Helmut Schaa <helmut.schaa@googlemail.com>, Kalle Valo <kvalo@codeaurora.org>, linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] rt2x00: type bug in _rt2500usb_register_read() Message-ID: <20151126115523.GD10556@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

20151126115523.GD10556@mwanda (mailing list archive)

State

Accepted

Delegated to:

Kalle Valo

Headers

Date: Thu, 26 Nov 2015 14:55:23 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Helmut Schaa <helmut.schaa@googlemail.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] rt2x00: type bug in _rt2500usb_register_read()
Message-ID: <20151126115523.GD10556@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Nov. 26, 2015, 11:55 a.m. UTC

This code causes a static checker bug.

drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read()
warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16.

If the low 16 bits were initialized to zero then this code would only be
a problem on big endian systems.  But in this case this is case the low
16 bits are never initialized.  This is called from a function which is
created using a macro:

RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32);

We end up copying uninitialized data to the user which is bogus and an
information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Not tested.  Perhaps we should just remove this code since it has never
worked.

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Walter Harms Nov. 26, 2015, 12:21 p.m. UTC | #1

Am 26.11.2015 12:55, schrieb Dan Carpenter:
> This code causes a static checker bug.
> 
> drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read()
> warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16.
> 
> If the low 16 bits were initialized to zero then this code would only be
> a problem on big endian systems.  But in this case this is case the low
> 16 bits are never initialized.  This is called from a function which is
> created using a macro:
> 
> RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32);
> 
> We end up copying uninitialized data to the user which is bogus and an
> information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Not tested.  Perhaps we should just remove this code since it has never
> worked.
> 
> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
> index b50d873..d26018f 100644
> --- a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
> +++ b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
> @@ -229,7 +229,10 @@ static void _rt2500usb_register_read(struct rt2x00_dev *rt2x00dev,
>  				     const unsigned int offset,
>  				     u32 *value)
>  {
> -	rt2500usb_register_read(rt2x00dev, offset, (u16 *)value);
> +	u16 tmp;
> +
> +	rt2500usb_register_read(rt2x00dev, offset, &tmp);
> +	*value = tmp;
>  }
>  

perhaps, cleaning *value would be sufficient ? Avoiding the need for a tmp var.

*value = 0
rt2500usb_register_read(rt2x00dev, offset, (u16 *)value);


re,
 wh

>  static void _rt2500usb_register_write(struct rt2x00_dev *rt2x00dev,
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Dan Carpenter Nov. 26, 2015, 12:36 p.m. UTC | #2

On Thu, Nov 26, 2015 at 01:21:48PM +0100, walter harms wrote:
> > If the low 16 bits were initialized to zero then this code would only be
> > a problem on big endian systems.

> perhaps, cleaning *value would be sufficient ? Avoiding the need for a tmp var.
> 
> *value = 0
> rt2500usb_register_read(rt2x00dev, offset, (u16 *)value);
> 

Because if you initialize value then you still have a bug on big endian
systems.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Stanislaw Gruszka Nov. 26, 2015, 1:52 p.m. UTC | #3

On Thu, Nov 26, 2015 at 02:55:23PM +0300, Dan Carpenter wrote:
> This code causes a static checker bug.
> 
> drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read()
> warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16.
> 
> If the low 16 bits were initialized to zero then this code would only be
> a problem on big endian systems.  But in this case this is case the low
> 16 bits are never initialized.  This is called from a function which is
> created using a macro:
> 
> RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32);
> 
> We end up copying uninitialized data to the user which is bogus and an
> information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>

> ---
> Not tested.  Perhaps we should just remove this code since it has never
> worked.

It is used for debugfs interface and I would like to keep it.

Stanislaw
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Kalle Valo Nov. 30, 2015, 12:58 p.m. UTC | #4

> This code causes a static checker bug.
> 
> drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read()
> warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16.
> 
> If the low 16 bits were initialized to zero then this code would only be
> a problem on big endian systems.  But in this case this is case the low
> 16 bits are never initialized.  This is called from a function which is
> created using a macro:
> 
> RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32);
> 
> We end up copying uninitialized data to the user which is bogus and an
> information leak.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>

Thanks, applied to wireless-drivers-next.git.

Kalle Valo
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
index b50d873..d26018f 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
@@ -229,7 +229,10 @@  static void _rt2500usb_register_read(struct rt2x00_dev *rt2x00dev,
 				     const unsigned int offset,
 				     u32 *value)
 {
-	rt2500usb_register_read(rt2x00dev, offset, (u16 *)value);
+	u16 tmp;
+
+	rt2500usb_register_read(rt2x00dev, offset, &tmp);
+	*value = tmp;
 }
 
 static void _rt2500usb_register_write(struct rt2x00_dev *rt2x00dev,

rt2x00: type bug in _rt2500usb_register_read()

Commit Message

Comments

Patch