lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 10 Jan 2010 09:51:58 +0100
From:	Jiri Slaby <jslaby@...e.cz>
To:	gregkh@...e.de
Cc:	akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
	jirislaby@...il.com, Alan Cox <alan@...ux.intel.com>
Subject: [PATCH 1/1] Char: synclink, fix potential null dereference

Stanse found a potential null dereference in mgsl_put_char and
mgsl_write. There is a check for tty being NULL, but it is
dereferenced earlier. Move the dereference after the check.

Also reorder mgsl_paranoia_check so that it makes sense:
* check !tty
* deref tty
* check !info
* deref info

And don't jump to cleanup label in mgsl_write's two cases, return
immediately, since there is an info dereference as well.

Signed-off-by: Jiri Slaby <jslaby@...e.cz>
---
 drivers/char/synclink.c |   30 ++++++++++++++++++++----------
 1 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
index 4846b73..30f21bd 100644
--- a/drivers/char/synclink.c
+++ b/drivers/char/synclink.c
@@ -2019,19 +2019,24 @@ static void mgsl_change_params(struct mgsl_struct *info)
  */
 static int mgsl_put_char(struct tty_struct *tty, unsigned char ch)
 {
-	struct mgsl_struct *info = tty->driver_data;
+	struct mgsl_struct *info;
 	unsigned long flags;
 	int ret = 0;
 
+	if (!tty)
+		return 0;
+
+	info = tty->driver_data;
+
+	if (mgsl_paranoia_check(info, tty->name, "mgsl_put_char"))
+		return 0;
+
 	if (debug_level >= DEBUG_LEVEL_INFO) {
 		printk(KERN_DEBUG "%s(%d):mgsl_put_char(%d) on %s\n",
 			__FILE__, __LINE__, ch, info->device_name);
 	}		
 	
-	if (mgsl_paranoia_check(info, tty->name, "mgsl_put_char"))
-		return 0;
-
-	if (!tty || !info->xmit_buf)
+	if (!info->xmit_buf)
 		return 0;
 
 	spin_lock_irqsave(&info->irq_spinlock, flags);
@@ -2111,17 +2116,22 @@ static int mgsl_write(struct tty_struct * tty,
 		    const unsigned char *buf, int count)
 {
 	int	c, ret = 0;
-	struct mgsl_struct *info = tty->driver_data;
+	struct mgsl_struct *info;
 	unsigned long flags;
 	
+	if (!tty)
+		return 0;
+
+	info = tty->driver_data;
+
+	if (mgsl_paranoia_check(info, tty->name, "mgsl_write"))
+		return 0;
+
 	if ( debug_level >= DEBUG_LEVEL_INFO )
 		printk( "%s(%d):mgsl_write(%s) count=%d\n",
 			__FILE__,__LINE__,info->device_name,count);
-	
-	if (mgsl_paranoia_check(info, tty->name, "mgsl_write"))
-		goto cleanup;
 
-	if (!tty || !info->xmit_buf)
+	if (!info->xmit_buf)
 		goto cleanup;
 
 	if ( info->params.mode == MGSL_MODE_HDLC ||
-- 
1.6.5.7

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ