diff mbox series

nfc: pn533: Add poll mod list filling check

Message ID 20240702093924.12092-1-amishin@t-argos.ru (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series nfc: pn533: Add poll mod list filling check | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 840 this patch: 840
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 4 of 4 maintainers
netdev/build_clang success Errors and warnings before: 848 this patch: 848
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 849 this patch: 849
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-07-03--12-00 (tests: 666)

Commit Message

Aleksandr Mishin July 2, 2024, 9:39 a.m. UTC 
In case of im_protocols value is 1 and tm_protocols value is 0 this
combination successfully passes the check
'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
But then after pn533_poll_create_mod_list() call in pn533_start_poll()
poll mod list will remain empty and dev->poll_mod_count will remain 0
which lead to division by zero.

Add poll mod list filling check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: dfccd0f58044 ("NFC: pn533: Add some polling entropy")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/nfc/pn533/pn533.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Krzysztof Kozlowski July 3, 2024, 5:02 a.m. UTC | #1 
On 02/07/2024 11:39, Aleksandr Mishin wrote:
> In case of im_protocols value is 1 and tm_protocols value is 0 this

Which im protocol has value 1 in the mask?

The pn533_poll_create_mod_list() handles all possible masks, so your
case is just not possible to happen.

This patch is purely to satisfy (your) static analyzers, so this should
be clear in commit msg. You are not fixing any bug but adding sort of
defensive code and suppresion of false-positive warning...

> combination successfully passes the check
> 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
> But then after pn533_poll_create_mod_list() call in pn533_start_poll()
> poll mod list will remain empty and dev->poll_mod_count will remain 0
> which lead to division by zero.
> 
> Add poll mod list filling check.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: dfccd0f58044 ("NFC: pn533: Add some polling entropy")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/nfc/pn533/pn533.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
> index b19c39dcfbd9..e2bc67300a91 100644
> --- a/drivers/nfc/pn533/pn533.c
> +++ b/drivers/nfc/pn533/pn533.c
> @@ -1723,6 +1723,11 @@ static int pn533_start_poll(struct nfc_dev *nfc_dev,
>  	}
>  
>  	pn533_poll_create_mod_list(dev, im_protocols, tm_protocols);
> +	if (!dev->poll_mod_count) {
> +		nfc_err(dev->dev,
> +			"Poll mod list is empty\n");

Odd wrapping.

> +		return -EINVAL;
> +	}
>  
>  	/* Do not always start polling from the same modulation */
>  	get_random_bytes(&rand_mod, sizeof(rand_mod));

Best regards,
Krzysztof
Aleksandr Mishin July 3, 2024, 7:26 a.m. UTC | #2 
On 03.07.2024 8:02, Krzysztof Kozlowski wrote:
> On 02/07/2024 11:39, Aleksandr Mishin wrote:
>> In case of im_protocols value is 1 and tm_protocols value is 0 this
> 
> Which im protocol has value 1 in the mask?
> 
> The pn533_poll_create_mod_list() handles all possible masks, so your
> case is just not possible to happen.

Exactly. pn533_poll_create_mod_list() handles all possible specified 
masks. No im protocol has value 1 in the mask. In case of 'im_protocol' 
parameter has value of 1, no mod will be added. So dev->poll_mod_count 
will remain 0.
I assume 'im_protocol' parameter is "external" to this driver, it comes 
from outside and can contain any value, so driver has to be able to 
protect itself from incorrect values.

> 
> This patch is purely to satisfy (your) static analyzers, so this should
> be clear in commit msg. You are not fixing any bug but adding sort of
> defensive code and suppresion of false-positive warning...
> 
>> combination successfully passes the check
>> 'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
>> But then after pn533_poll_create_mod_list() call in pn533_start_poll()
>> poll mod list will remain empty and dev->poll_mod_count will remain 0
>> which lead to division by zero.
>>
>> Add poll mod list filling check.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: dfccd0f58044 ("NFC: pn533: Add some polling entropy")
>> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
>> ---
>>   drivers/nfc/pn533/pn533.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
>> index b19c39dcfbd9..e2bc67300a91 100644
>> --- a/drivers/nfc/pn533/pn533.c
>> +++ b/drivers/nfc/pn533/pn533.c
>> @@ -1723,6 +1723,11 @@ static int pn533_start_poll(struct nfc_dev *nfc_dev,
>>   	}
>>   
>>   	pn533_poll_create_mod_list(dev, im_protocols, tm_protocols);
>> +	if (!dev->poll_mod_count) {
>> +		nfc_err(dev->dev,
>> +			"Poll mod list is empty\n");
> 
> Odd wrapping.

Just like other messages in this function.

> 
>> +		return -EINVAL;
>> +	}
>>   
>>   	/* Do not always start polling from the same modulation */
>>   	get_random_bytes(&rand_mod, sizeof(rand_mod));
> 
> Best regards,
> Krzysztof
>
Krzysztof Kozlowski July 4, 2024, 12:07 p.m. UTC | #3 
On 03/07/2024 09:26, Aleksandr Mishin wrote:
> 
> 
> On 03.07.2024 8:02, Krzysztof Kozlowski wrote:
>> On 02/07/2024 11:39, Aleksandr Mishin wrote:
>>> In case of im_protocols value is 1 and tm_protocols value is 0 this
>>
>> Which im protocol has value 1 in the mask?
>>
>> The pn533_poll_create_mod_list() handles all possible masks, so your
>> case is just not possible to happen.
> 
> Exactly. pn533_poll_create_mod_list() handles all possible specified 
> masks. No im protocol has value 1 in the mask. In case of 'im_protocol' 

Which cannot happen.

> parameter has value of 1, no mod will be added. So dev->poll_mod_count 
> will remain 0.

Which cannot happen.

> I assume 'im_protocol' parameter is "external" to this driver, it comes 
> from outside and can contain any value, so driver has to be able to 
> protect itself from incorrect values.

Did you read what I wrote? It cannot happen.

Best regards,
Krzysztof
diff mbox series

Patch

diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index b19c39dcfbd9..e2bc67300a91 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -1723,6 +1723,11 @@  static int pn533_start_poll(struct nfc_dev *nfc_dev,
 	}
 
 	pn533_poll_create_mod_list(dev, im_protocols, tm_protocols);
+	if (!dev->poll_mod_count) {
+		nfc_err(dev->dev,
+			"Poll mod list is empty\n");
+		return -EINVAL;
+	}
 
 	/* Do not always start polling from the same modulation */
 	get_random_bytes(&rand_mod, sizeof(rand_mod));