Attempting to dereference a null pointer results in undefined behavior, typically abnormal program termination.
...
This noncompliant code example is a real-world example taken from a vulnerable version of the libpng library as deployed on a popular ARM-based cell phone [Jack 2007]. The libpng implements its own wrapper to malloc() that returns a null pointer on error or on being passed a 0 byte length argument.
...
This noncompliant code example can be found in drivers/net/tun.c and affects Linux kernel 2.6.30 [Goodin 2009].
| Code Block | ||||
|---|---|---|---|---|
| ||||
static unsigned int tun_chr_poll(struct file *file, poll_table * wait) {
struct tun_file *tfile = file->private_data;
struct tun_struct *tun = __tun_get(tfile);
struct sock *sk = tun->sk;
unsigned int mask = 0;
if (!tun)
return POLLERR;
DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
poll_wait(file, &tun->socket.wait, wait);
if (!skb_queue_empty(&tun->readq))
mask |= POLLIN | POLLRDNORM;
if (sock_writeable(sk) ||
(!test_and_set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
sock_writeable(sk)))
mask |= POLLOUT | POLLWRNORM;
if (tun->dev->reg_state != NETREG_REGISTERED)
mask = POLLERR;
tun_put(tun);
return mask;
}
|
...
Normally, null pointer dereference results in access violation and abnormal program termination. However, it is possible to permit null pointer dereferencing on several operating systems, for example, using mmap(2) with the MAP_FIXED flag on Linux and Mac OS X or using shmat(2) with the SHM_RND flag on Linux [Liu 2009].
Compliant Solution
This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check.
...
Dereferencing a null pointer results in undefined behavior, typically abnormal program termination. In some situations, however, dereferencing a null pointer can lead to the execution of arbitrary code [Jack 2007, van Sprundel 2006]. The indicated severity is for this more severe case; on platforms where it is not possible to exploit a null pointer dereference to execute arbitrary code, the actual severity is low.
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 45 D | Fully implemented. | |||||||
Fortify SCA | V. 5.0 | ||||||||
Splint |
| ||||||||
| Compass/ROSE | Can detect violations of this rule. In particular, ROSE ensures that any pointer returned by | ||||||||
|
| CHECKED_RETURN | Finds instances where a pointer is checked against | ||||||
| NULL_RETURNS | Identifies functions that can return a null pointer but are not checked. | |||||||
| REVERSE_INULL | Identifies code that dereferences a pointer and then checks the pointer against | |||||||
| FORWARD_NULL | Can find the instances where | |||||||
| NPD.* *RNPD.* | ||||||||
| PRQA QA-C |
| 0504 | Fully implemented |
Related Vulnerabilities
...
ISO/IEC TR 17961 (Draft) Dereferencing an out-of-domain pointer [nullref]
ISO/IEC TR 24772 "HFC Pointer casting and pointer type changes" and "XYH Null pointer dereference"
MITRE CWE: CWE-476, "NULL Pointer dereference"
Bibliography
[Goodin 2009]
[Jack 2007]
[Liu 2009]
[van Sprundel 2006]
[Viega 2005] Section 5.2.18, "Null-pointer dereference"
...