Re: [PATCH v3] Bluetooth: btmtk: Fix null pointer when processing coredump
From: Paul Menzel
Date: Wed Jul 12 2023 - 05:25:57 EST
Dear Chris,
Am 12.07.23 um 10:53 schrieb Chris Lu (陸稚泓):
On Wed, 2023-07-12 at 08:11 +0200, Paul Menzel wrote:
External email : Please do not click links or open attachments until
you have verified the sender or the content.
(It’d be nice if you removed such (automatically added) phrases from
your reply.)
Thanks for your review and feedback to Mediatek's Bluetooth driver
code.
Thank you for your reply.
Am 12.07.23 um 07:18 schrieb Chris Lu:
There may be a potential null pointer risk if offset value is
less than 0 when doing memcmp in btmtk_process_coredump().
Checking offset is valid before doing memcmp.
Use imperative mood: Check offset …
Signed-off-by: Chris Lu <chris.lu@xxxxxxxxxxxx>
Co-developed-by: Sean Wang <sean.wang@xxxxxxxxxxxx>
Signed-off-by: Sean Wang <sean.wang@xxxxxxxxxxxx>
---
v2: fix typo
v3: fix bot checking error
---
drivers/bluetooth/btmtk.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 786f775196ae..0f290430ae0e 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -370,7 +370,7 @@ EXPORT_SYMBOL_GPL(btmtk_register_coredump);
int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
{
struct btmediatek_data *data = hci_get_priv(hdev);
-int err;
+int err, offset;
if (!IS_ENABLED(CONFIG_DEV_COREDUMP))
return 0;
@@ -392,15 +392,15 @@ int btmtk_process_coredump(struct hci_dev
*hdev, struct sk_buff *skb)
if (err < 0)
break;
data->cd_info.cnt++;
+offset = skb->len - sizeof(MTK_COREDUMP_END);
For `sizeof()` shouldn’t you use `size_t`? But that is unsigned of
course. Maybe ssize_t then?
yes, it's better to use ssize_t or size_t, I'll change declaratins of
offset from int to ssize_t.
/* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
-if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
- skb->len > sizeof(MTK_COREDUMP_END) &&
- !memcmp((char *)&skb->data[skb->len - sizeof(MTK_COREDUMP_END)],
- MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
-bt_dev_info(hdev, "Mediatek coredump end");
-hci_devcd_complete(hdev);
-}
+if (data->cd_info.cnt > MTK_COREDUMP_NUM && offset > 0)
Why not keep it like before, and just add the condition `skb->len <
sizeof(MTK_COREDUMP_END)`? The compiler is probably going to optimize
so the value is not calculated twice.
The reason why I send this patch is when I backport devcoredump feature
to specific project with older kernel version, the compiler might not
so optimized that it would cause kernel panic when run into memcmp.
As a result, make sure `skb->len > sizeof(MTK_COREDUMP_END) ` before
doing memcmp part can avoid null pointer issue.
Besides, only in condition 'data->cd_info.cnt > MTK_COREDUMP_NUM &&
offset > 0' need to do memcmp to check the end of coredump. Driver do
noting with condition `skb->len < sizeof(MTK_COREDUMP_END) ` that
additional condiction is not really necessary.
Just to avoid misunderstandings, my point, to add the comparison and get
rid of the variable `offset`.
Kind regards,
Paul
+if (!memcmp((char *)&skb->data[offset], MTK_COREDUMP_END,
+ sizeof(MTK_COREDUMP_END) - 1)) {
+bt_dev_info(hdev, "Mediatek coredump end");
+hci_devcd_complete(hdev);
+}
break;
}