Message ID | 20151126115523.GD10556@mwanda (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Kalle Valo |
Headers | show |
Am 26.11.2015 12:55, schrieb Dan Carpenter: > This code causes a static checker bug. > > drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read() > warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16. > > If the low 16 bits were initialized to zero then this code would only be > a problem on big endian systems. But in this case this is case the low > 16 bits are never initialized. This is called from a function which is > created using a macro: > > RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32); > > We end up copying uninitialized data to the user which is bogus and an > information leak. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > Not tested. Perhaps we should just remove this code since it has never > worked. > > diff --git a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c > index b50d873..d26018f 100644 > --- a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c > +++ b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c > @@ -229,7 +229,10 @@ static void _rt2500usb_register_read(struct rt2x00_dev *rt2x00dev, > const unsigned int offset, > u32 *value) > { > - rt2500usb_register_read(rt2x00dev, offset, (u16 *)value); > + u16 tmp; > + > + rt2500usb_register_read(rt2x00dev, offset, &tmp); > + *value = tmp; > } > perhaps, cleaning *value would be sufficient ? Avoiding the need for a tmp var. *value = 0 rt2500usb_register_read(rt2x00dev, offset, (u16 *)value); re, wh > static void _rt2500usb_register_write(struct rt2x00_dev *rt2x00dev, > -- > To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Nov 26, 2015 at 01:21:48PM +0100, walter harms wrote: > > If the low 16 bits were initialized to zero then this code would only be > > a problem on big endian systems. > perhaps, cleaning *value would be sufficient ? Avoiding the need for a tmp var. > > *value = 0 > rt2500usb_register_read(rt2x00dev, offset, (u16 *)value); > Because if you initialize value then you still have a bug on big endian systems. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Nov 26, 2015 at 02:55:23PM +0300, Dan Carpenter wrote: > This code causes a static checker bug. > > drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read() > warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16. > > If the low 16 bits were initialized to zero then this code would only be > a problem on big endian systems. But in this case this is case the low > 16 bits are never initialized. This is called from a function which is > created using a macro: > > RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32); > > We end up copying uninitialized data to the user which is bogus and an > information leak. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Stanislaw Gruszka <sgruszka@redhat.com> > --- > Not tested. Perhaps we should just remove this code since it has never > worked. It is used for debugfs interface and I would like to keep it. Stanislaw -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> This code causes a static checker bug. > > drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read() > warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16. > > If the low 16 bits were initialized to zero then this code would only be > a problem on big endian systems. But in this case this is case the low > 16 bits are never initialized. This is called from a function which is > created using a macro: > > RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32); > > We end up copying uninitialized data to the user which is bogus and an > information leak. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Acked-by: Stanislaw Gruszka <sgruszka@redhat.com> Thanks, applied to wireless-drivers-next.git. Kalle Valo -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c index b50d873..d26018f 100644 --- a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c +++ b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c @@ -229,7 +229,10 @@ static void _rt2500usb_register_read(struct rt2x00_dev *rt2x00dev, const unsigned int offset, u32 *value) { - rt2500usb_register_read(rt2x00dev, offset, (u16 *)value); + u16 tmp; + + rt2500usb_register_read(rt2x00dev, offset, &tmp); + *value = tmp; } static void _rt2500usb_register_write(struct rt2x00_dev *rt2x00dev,
This code causes a static checker bug. drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read() warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16. If the low 16 bits were initialized to zero then this code would only be a problem on big endian systems. But in this case this is case the low 16 bits are never initialized. This is called from a function which is created using a macro: RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32); We end up copying uninitialized data to the user which is bogus and an information leak. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- Not tested. Perhaps we should just remove this code since it has never worked. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html