[tpmdd-devel] char: tmp: fix potential null pointer dereference

Message ID 20170530215123.GA7484@embeddedgus
State New
Headers show

Commit Message

Gustavo A. R. Silva May 30, 2017, 9:51 p.m.
NULL check at line 147: if (chip) {, implies chip might be NULL.
Function dev_get_drvdata() dereference pointer chip.
Move pointer priv assignment inside the IF block that checks
pointer chip.

Addresses-Coverity-ID: 1397646
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
 drivers/char/tpm/tpm_atmel.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Gustavo A. R. Silva June 12, 2017, 10:25 p.m. | #1
Hi Jarkko,

Please, see my comments below

Quoting Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>:

> On Tue, May 30, 2017 at 04:51:23PM -0500, Gustavo A. R. Silva wrote:
>> NULL check at line 147: if (chip) {, implies chip might be NULL.
>> Function dev_get_drvdata() dereference pointer chip.
>> Move pointer priv assignment inside the IF block that checks
>> pointer chip.
>>
>> Addresses-Coverity-ID: 1397646
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>
> It cannot be.
>

I got it.

> /Jarkko
>
>> ---
>>  drivers/char/tpm/tpm_atmel.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/char/tpm/tpm_atmel.c b/drivers/char/tpm/tpm_atmel.c
>> index 0d322ab..0826efd 100644
>> --- a/drivers/char/tpm/tpm_atmel.c
>> +++ b/drivers/char/tpm/tpm_atmel.c
>> @@ -142,9 +142,10 @@ static struct platform_device *pdev;
>>  static void atml_plat_remove(void)
>>  {
>>  	struct tpm_chip *chip = dev_get_drvdata(&pdev->dev);
>> -	struct tpm_atmel_priv *priv = dev_get_drvdata(&chip->dev);
>> +	struct tpm_atmel_priv *priv;
>>
>>  	if (chip) {

So, this NULL check could be removed?

>> +		priv = dev_get_drvdata(&chip->dev);
>>  		tpm_chip_unregister(chip);
>>  		if (priv->have_region)
>>  			atmel_release_region(priv->base, priv->region_size);
>> --
>> 2.5.0
>>

Thank you
--
Gustavo A. R. Silva





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Jarkko Sakkinen June 13, 2017, 6:03 p.m. | #2
On Mon, Jun 12, 2017 at 05:25:44PM -0500, Gustavo A. R. Silva wrote:
> Hi Jarkko,
> 
> Please, see my comments below
> 
> Quoting Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>:
> 
> > On Tue, May 30, 2017 at 04:51:23PM -0500, Gustavo A. R. Silva wrote:
> > > NULL check at line 147: if (chip) {, implies chip might be NULL.
> > > Function dev_get_drvdata() dereference pointer chip.
> > > Move pointer priv assignment inside the IF block that checks
> > > pointer chip.
> > > 
> > > Addresses-Coverity-ID: 1397646
> > > Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> > 
> > It cannot be.
> > 
> 
> I got it.
> 
> > /Jarkko
> > 
> > > ---
> > >  drivers/char/tpm/tpm_atmel.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/char/tpm/tpm_atmel.c b/drivers/char/tpm/tpm_atmel.c
> > > index 0d322ab..0826efd 100644
> > > --- a/drivers/char/tpm/tpm_atmel.c
> > > +++ b/drivers/char/tpm/tpm_atmel.c
> > > @@ -142,9 +142,10 @@ static struct platform_device *pdev;
> > >  static void atml_plat_remove(void)
> > >  {
> > >  	struct tpm_chip *chip = dev_get_drvdata(&pdev->dev);
> > > -	struct tpm_atmel_priv *priv = dev_get_drvdata(&chip->dev);
> > > +	struct tpm_atmel_priv *priv;
> > > 
> > >  	if (chip) {
> 
> So, this NULL check could be removed?

Yes, this would be right way to fix it.

/Jarkko

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/drivers/char/tpm/tpm_atmel.c b/drivers/char/tpm/tpm_atmel.c
index 0d322ab..0826efd 100644
--- a/drivers/char/tpm/tpm_atmel.c
+++ b/drivers/char/tpm/tpm_atmel.c
@@ -142,9 +142,10 @@  static struct platform_device *pdev;
 static void atml_plat_remove(void)
 {
 	struct tpm_chip *chip = dev_get_drvdata(&pdev->dev);
-	struct tpm_atmel_priv *priv = dev_get_drvdata(&chip->dev);
+	struct tpm_atmel_priv *priv;
 
 	if (chip) {
+		priv = dev_get_drvdata(&chip->dev);
 		tpm_chip_unregister(chip);
 		if (priv->have_region)
 			atmel_release_region(priv->base, priv->region_size);