Ubuntu
linux package

ubuntu/rsi driver has several issues as picked up by static analysis

Xenial (16.04)
Bug #1694733

Bug #1694733 reported by Colin Ian King on 2017-05-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Medium	Shrirang Bagul
	Xenial	Fix Released	Undecided	Unassigned

Bug Description

** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()

________________________________________________________________________________________________________
*** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
346
347 if (status) {
348 mutex_unlock(&common->tx_lock);
349 break;
350 }
351
>>> CID 1438209: Memory - corruptions (OVERRUN)
>>> Overrunning array "common->tx_stats.total_tx_pkt_send" of 5 4-byte elements at element index 5 (byte offset 20) using index "q_num" (which evaluates to 5).
352 common->tx_stats.total_tx_pkt_send[q_num]++;
353
354 tstamp_2 = jiffies;
355 mutex_unlock(&common->tx_lock);
356
357 if (tstamp_2 > tstamp_1 + (300 * HZ / 1000))

** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()

________________________________________________________________________________________________________
*** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
268 cmd_frame->q_no = RSI_BT_MGMT_Q;
269 cmd_frame->pkt_type = RSI_BT_PKT_TYPE_DEREGISTR;
270
271 skb_put(skb, sizeof(struct rsi_bt_cmd_frame));
272
273 //return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438210: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
274 return common->priv->host_intf_ops->write_pkt(common->priv, skb->data, skb->len);
275 }
276 EXPORT_SYMBOL_GPL(rsi_deregister_bt);
277
278 int rsi_hci_recv_pkt(struct rsi_common *common, u8 *pkt)
279 {

** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()

________________________________________________________________________________________________________
*** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
243 cmd_frame->bt_rf_tx_power_mode = 0;
244 cmd_frame->bt_rf_tx_power_mode = 0;
245
246 skb_put(skb, sizeof(struct rsi_bt_rfmode_frame));
247
248 // return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438211: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
249 return common->priv->host_intf_ops->write_pkt(common->priv, skb->data, skb->len);
250 }
251 EXPORT_SYMBOL_GPL(rsi_send_rfmode_frame);
252
253 int rsi_deregister_bt(struct rsi_common *common)
254 {

** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()

________________________________________________________________________________________________________
*** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
1382 struct rsi_91x_sdiodev *sdev =
1383 (struct rsi_91x_sdiodev *)adapter->rsi_dev;
1384 #endif
1385
1386 ven_rsi_dbg(INFO_ZONE, "SDIO Bus freeze ===>\n");
1387
>>> CID 1438212: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "adapter" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1388 if (!adapter) {
1389 ven_rsi_dbg(ERR_ZONE, "Device is not ready\n");
1390 return -ENODEV;
1391 }
1392
1393 common->suspend_in_prog = true;

** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()

________________________________________________________________________________________________________
*** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
491 struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev;
492 int status;
493 u32 buf_status = 0;
494
495 return QUEUE_NOT_FULL;
496
>>> CID 1438213: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (adapter->priv->fsm_stat...".
497 if (adapter->priv->fsm_state != FSM_MAC_INIT_DONE)
498 return QUEUE_NOT_FULL;
499
500 status = rsi_usb_reg_read(dev->usbdev, adapter->usb_buffer_status_reg,
501 &buf_status, 2);
502 if (status < 0)

Tags:

CVE References

Colin Ian King (colin-king) on 2017-05-31

Changed in linux (Ubuntu):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Colin Ian King (colin-king)
assignee:	Colin Ian King (colin-king) → nobody
status:	In Progress → Confirmed

Revision history for this message

Amitkumar Karwar (amitkarwar) wrote on 2017-06-28:

1.2RC15 rsi driver includes fixes for these issues

Shrirang Bagul (shrirang-bagul) on 2017-07-01

Changed in linux (Ubuntu):
assignee:	nobody → Shrirang Bagul (shrirang-bagul)

Stefan Bader (smb) on 2017-07-20

Changed in linux (Ubuntu Xenial):
status:	New → Fix Committed

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2017-07-25:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Kleber Sacilotto de Souza (kleber-souza) wrote on 2017-08-02:

rsi driver verified to be working as expected, as reported on bug #1697829.

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-08-03:

Download full text (12.0 KiB)

This bug was fixed in the package linux - 4.4.0-89.112

---------------
linux (4.4.0-89.112) xenial; urgency=low

* CVE-2017-7533
- dentry name snapshots

linux (4.4.0-88.111) xenial; urgency=low

* linux: 4.4.0-88.111 -proposed tracker (LP: #1705270)

* [Xenial] nvme: Quirks for PM1725 controllers (LP: #1704435)
- nvme: Quirks for PM1725 controllers

  * Upgrade Redpine WLAN/BT driver to ver. 1.2 (production release)
    (LP: #1697829)
    - SAUCE: Redpine: Upgrade to ver. 1.2 production release

  * ubuntu/rsi driver has several issues as picked up by static analysis
    (LP: #1694733)
    - SAUCE: Redpine: Upgrade to ver. 1.2 production release

  * Redpine vendor driver - Switching to AP mode causes kernel panic
    (LP: #1700941)
    - SAUCE: Redpine: Upgrade to ver. 1.2 production release

* CVE-2017-10810
- drm/virtio: don't leak bo on drm_gem_object_init failure

* Ath10k to read different board data file if specify in SMBIOS (LP: #1666742)
- ath10k: search SMBIOS for OEM board file extension

* make snap-pkg support (LP: #1700747)
- SAUCE: make snap-pkg support

  * ISST-LTE: Briggs:Stratton:UbuntuKVM: ics_opal_set_affinity on host kernel
    log using Intel X710 (i40e driver) (LP: #1703663)
    - i40e: use valid online CPU on q_vector initialization

* Update snapcraft.yaml (LP: #1700480)
- snapcraft.yaml: various improvements

This bug was fixed in the package linux - 4.4.0-89.112

---------------
linux (4.4.0-89.112) xenial; urgency=low

* CVE-2017-7533
    - dentry name snapshots

linux (4.4.0-88.111) xenial; urgency=low

* linux: 4.4.0-88.111 -proposed tracker (LP: #1705270)

* [Xenial] nvme: Quirks for PM1725 controllers (LP: #1704435)
    - nvme: Quirks for PM1725 controllers

* Upgrade Redpine WLAN/BT driver to ver. 1.2 (production release)
    (LP: #1697829)
    - SAUCE: Redpine: Upgrade to ver. 1.2 production release

* ubuntu/rsi driver has several issues as picked up by static analysis
    (LP: #1694733)
    - SAUCE: Redpine: Upgrade to ver. 1.2 production release

* Redpine vendor driver - Switching to AP mode causes kernel panic
    (LP: #1700941)
    - SAUCE: Redpine: Upgrade to ver. 1.2 production release

* CVE-2017-10810
    - drm/virtio: don't leak bo on drm_gem_object_init failure

* Ath10k to read different board data file if specify in SMBIOS (LP: #1666742)
    - ath10k: search SMBIOS for OEM board file extension

* make snap-pkg support (LP: #1700747)
    - SAUCE: make snap-pkg support

* ISST-LTE: Briggs:Stratton:UbuntuKVM:  ics_opal_set_affinity on host kernel
    log using Intel X710 (i40e driver) (LP: #1703663)
    - i40e: use valid online CPU on q_vector initialization

* Update snapcraft.yaml (LP: #1700480)
    - snapcraft.yaml: various improvements

* Xenial update to 4.4.76 stable release (LP: #1702863)
    - ipv6: release dst on error in ip6_dst_lookup_tail
    - net: don't call strlen on non-terminated string in dev_set_alias()
    - decnet: dn_rtmsg: Improve input length sanitization in
      dnrmg_receive_user_skb
    - net: Zero ifla_vf_info in rtnl_fill_vfinfo()
    - af_unix: Add sockaddr length checks before accessing sa_family in bind and
      connect handlers
    - Fix an intermittent pr_emerg warning about lo becoming free.
    - net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
    - igmp: acquire pmc lock for ip_mc_clear_src()
    - igmp: add a missing spin_lock_init()
    - ipv6: fix calling in6_ifa_hold incorrectly for dad work
    - net/mlx5: Wait for FW readiness before initializing command interface
    - decnet: always not take dst->__refcnt when inserting dst into hash table
    - net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
    - sfc: provide dummy definitions of vswitch functions
    - ipv6: Do not leak throw route references
    - rtnetlink: add IFLA_GROUP to ifla_policy
    - netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
    - netfilter: synproxy: fix conntrackd interaction
    - NFSv4: fix a reference leak caused WARNING messages
    - drm/ast: Handle configuration without P2A bridge
    - mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()
    - MIPS: Avoid accidental raw backtrace
    - MIPS: pm-cps: Drop manual cache-line alignment of ready_count
    - MIPS: Fix IRQ tracing & lockdep when rescheduling
    - ALSA: hda - Fix endless loop of codec configure
    - ALSA: hda - set input_path bitmap to zero after moving it to new place
    - drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr
    - usb: gadget: f_fs: Fix possibe deadlock
    - sysctl: enable strict writes
    - mm: numa: avoid waiting on freed migrated pages
    - KVM: x86: fix fixing of hypercalls
    - scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type
    - scsi: lpfc: Set elsiocb contexts to NULL after freeing it
    - qla2xxx: Fix erroneous invalid handle message
    - ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags
    - net: mvneta: Fix for_each_present_cpu usage
    - MIPS: ath79: fix regression in PCI window initialization
    - net: korina: Fix NAPI versus resources freeing
    - MIPS: ralink: MT7688 pinmux fixes
    - MIPS: ralink: fix USB frequency scaling
    - MIPS: ralink: Fix invalid assignment of SoC type
    - MIPS: ralink: fix MT7628 pinmux typos
    - MIPS: ralink: fix MT7628 wled_an pinmux gpio
    - mtd: bcm47xxpart: limit scanned flash area on BCM47XX (MIPS) only
    - bgmac: fix a missing check for build_skb
    - mtd: bcm47xxpart: don't fail because of bit-flips
    - bgmac: Fix reversed test of build_skb() return value.
    - net: bgmac: Fix SOF bit checking
    - net: bgmac: Start transmit queue in bgmac_open
    - net: bgmac: Remove superflous netif_carrier_on()
    - powerpc/eeh: Enable IO path on permanent error
    - gianfar: Do not reuse pages from emergency reserve
    - Btrfs: fix truncate down when no_holes feature is enabled
    - virtio_console: fix a crash in config_work_handler
    - swiotlb-xen: update dev_addr after swapping pages
    - xen-netfront: Fix Rx stall during network stress and OOM
    - scsi: virtio_scsi: Reject commands when virtqueue is broken
    - platform/x86: ideapad-laptop: handle ACPI event 1
    - amd-xgbe: Check xgbe_init() return code
    - net: dsa: Check return value of phy_connect_direct()
    - drm/amdgpu: check ring being ready before using
    - vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null
    - virtio_net: fix PAGE_SIZE > 64k
    - vxlan: do not age static remote mac entries
    - ibmveth: Add a proper check for the availability of the checksum features
    - kernel/panic.c: add missing \n
    - HID: i2c-hid: Add sleep between POWER ON and RESET
    - scsi: lpfc: avoid double free of resource identifiers
    - spi: davinci: use dma_mapping_error()
    - mac80211: initialize SMPS field in HT capabilities
    - x86/mpx: Use compatible types in comparison to fix sparse error
    - coredump: Ensure proper size of sparse core files
    - swiotlb: ensure that page-sized mappings are page-aligned
    - s390/ctl_reg: make __ctl_load a full memory barrier
    - be2net: fix status check in be_cmd_pmac_add()
    - perf probe: Fix to show correct locations for events on modules
    - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
    - sctp: check af before verify address in sctp_addr_id2transport
    - ravb: Fix use-after-free on `ifconfig eth0 down`
    - jump label: fix passing kbuild_cflags when checking for asm goto support
    - xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
    - xfrm: NULL dereference on allocation failure
    - xfrm: Oops on error in pfkey_msg2xfrm_state()
    - watchdog: bcm281xx: Fix use of uninitialized spinlock.
    - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
    - ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation
    - ARM: 8685/1: ensure memblock-limit is pmd-aligned
    - x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space
    - x86/mm: Fix flush_tlb_page() on Xen
    - ocfs2: o2hb: revert hb threshold to keep compatible
    - iommu/vt-d: Don't over-free page table directories
    - iommu: Handle default domain attach failure
    - iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
    - cpufreq: s3c2416: double free on driver init error path
    - KVM: x86: fix emulation of RSM and IRET instructions
    - KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
    - KVM: x86: zero base3 of unusable segments
    - KVM: nVMX: Fix exception injection
    - Linux 4.4.76

* Xenial update to 4.4.75 stable release (LP: #1702118)
    - fs/exec.c: account for argv/envp pointers
    - autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
    - lib/cmdline.c: fix get_options() overflow while parsing ranges
    - KVM: PPC: Book3S HV: Preserve userspace HTM state properly
    - CIFS: Improve readdir verbosity
    - HID: Add quirk for Dell PIXART OEM mouse
    - signal: Only reschedule timers on signals timers have sent
    - powerpc/kprobes: Pause function_graph tracing during jprobes handling
    - Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
    - time: Fix clock->read(clock) race around clocksource changes
    - target: Fix kref->refcount underflow in transport_cmd_finish_abort
    - iscsi-target: Reject immediate data underflow larger than SCSI transfer
      length
    - drm/radeon: add a PX quirk for another K53TK variant
    - drm/radeon: add a quirk for Toshiba Satellite L20-183
    - drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating
    - drm/amdgpu: adjust default display clock
    - USB: usbip: fix nonconforming hub descriptor
    - rxrpc: Fix several cases where a padded len isn't checked in ticket decode
    - of: Add check to of_scan_flat_dt() before accessing initial_boot_params
    - mtd: spi-nor: fix spansion quad enable
    - powerpc/slb: Force a full SLB flush when we insert for a bad EA
    - usb: gadget: f_fs: avoid out of bounds access on comp_desc
    - net: phy: Initialize mdio clock at probe function
    - net: phy: fix marvell phy status reading
    - Linux 4.4.75

* Xenial update to 4.4.74 stable release (LP: #1702104)
    - configfs: Fix race between create_link and configfs_rmdir
    - can: gs_usb: fix memory leak in gs_cmd_reset()
    - cpufreq: conservative: Allow down_threshold to take values from 1 to 10
    - vb2: Fix an off by one error in 'vb2_plane_vaddr'
    - mac80211: don't look at the PM bit of BAR frames
    - mac80211/wpa: use constant time memory comparison for MACs
    - mac80211: fix CSA in IBSS mode
    - mac80211: fix IBSS presp allocation size
    - serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
    - x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
    - mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
    - staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
    - iio: proximity: as3935: recalibrate RCO after resume
    - USB: hub: fix SS max number of ports
    - usb: core: fix potential memory leak in error path during hcd creation
    - pvrusb2: reduce stack usage pvr2_eeprom_analyze()
    - USB: gadget: dummy_hcd: fix hub-descriptor removable fields
    - usb: r8a66597-hcd: select a different endpoint on timeout
    - usb: r8a66597-hcd: decrease timeout
    - drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of
      IS_ERR()
    - usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk
    - USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
    - mm/memory-failure.c: use compound_head() flags for huge pages
    - swap: cond_resched in swap_cgroup_prepare()
    - genirq: Release resources in __setup_irq() error path
    - alarmtimer: Prevent overflow of relative timers
    - usb: dwc3: exynos fix axius clock error path to do cleanup
    - MIPS: Fix bnezc/jialc return address calculation
    - alarmtimer: Rate limit periodic intervals
    - Linux 4.4.74

* Side Button (Display Toggle) fails on Dell AIO systems (LP: #1702541)
    - dell-wmi: Add a WMI event code for display on/off

* Intel i40e PF reset under load (LP: #1700834)
    - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per packet

* update ENA driver to 1.2.0k from net-next (LP: #1701575)
    - net: ena: remove superfluous check in ena_remove()
    - net: ena: fix rare uncompleted admin command false alarm
    - net: ena: add missing return when ena_com_get_io_handlers() fails
    - net: ena: fix race condition between submit and completion admin command
    - net: ena: add missing unmap bars on device removal
    - net: ena: fix theoretical Rx hang on low memory systems
    - net: ena: disable admin msix while working in polling mode
    - net: ena: bug fix in lost tx packets detection mechanism
    - net: ena: update ena driver to version 1.1.7
    - net: ena: change return value for unsupported features unsupported return
      value
    - net: ena: add hardware hints capability to the driver
    - net: ena: change sizeof() argument to be the type pointer
    - net: ena: add reset reason for each device FLR
    - net: ena: add support for out of order rx buffers refill
    - net: ena: use napi_schedule_irqoff when possible
    - net: ena: separate skb allocation to dedicated function
    - net: ena: use lower_32_bits()/upper_32_bits() to split dma address
    - net: ena: update driver's rx drop statistics
    - net: ena: update ena driver to version 1.2.0

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Mon, 31 Jul 2017 14:50:32 -0300

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Shrirang Bagul (shrirang-bagul) on 2017-08-11

Changed in linux (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

ubuntu/rsi driver has several issues as picked up by static analysis

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package