lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 6 Jun 2010 13:53:04 +0300
From:	Marin Mitov <mitov@...p.bas.bg>
To:	linux-kernel@...r.kernel.org
Subject: [BUG][PATCH]dma-coherent.c: error path bug

Hi all,

The error path in dma_declare_coherent_memory() leaves 
the pointer dev->dma_mem non completely initialized.

If allocation of dev->dma_mem succeeds, 
but allocation of dev->dma_mem->bitmap fails
dev->dma_mem is freed, but left non NULL
and non completely initialized.

Either zero it after being freed (one liner patch), or assign to 
dev->dma_mem only completely initialized structure (patch included).

Comments welcome.

Marin Mitov

Signed-off-by: Marin Mitov <mitov@...p.bas.bg>

=======================================================================
--- a/drivers/base/dma-coherent.c	2010-06-06 12:47:17.000000000 +0300
+++ b/drivers/base/dma-coherent.c	2010-06-06 12:53:36.000000000 +0300
@@ -17,6 +17,7 @@ struct dma_coherent_mem {
 int dma_declare_coherent_memory(struct device *dev, dma_addr_t bus_addr,
 				dma_addr_t device_addr, size_t size, int flags)
 {
+	struct dma_coherent_mem *mem;
 	void __iomem *mem_base = NULL;
 	int pages = size >> PAGE_SHIFT;
 	int bitmap_size = BITS_TO_LONGS(pages) * sizeof(long);
@@ -34,17 +35,18 @@ int dma_declare_coherent_memory(struct d
 	if (!mem_base)
 		goto out;
 
-	dev->dma_mem = kzalloc(sizeof(struct dma_coherent_mem), GFP_KERNEL);
-	if (!dev->dma_mem)
+	mem = kzalloc(sizeof(*mem), GFP_KERNEL);
+	if (!mem)
 		goto out;
-	dev->dma_mem->bitmap = kzalloc(bitmap_size, GFP_KERNEL);
-	if (!dev->dma_mem->bitmap)
+	mem->bitmap = kzalloc(bitmap_size, GFP_KERNEL);
+	if (!mem->bitmap)
 		goto free1_out;
 
-	dev->dma_mem->virt_base = mem_base;
-	dev->dma_mem->device_base = device_addr;
-	dev->dma_mem->size = pages;
-	dev->dma_mem->flags = flags;
+	mem->virt_base = mem_base;
+	mem->device_base = device_addr;
+	mem->size = pages;
+	mem->flags = flags;
+	dev->dma_mem = mem;
 
 	if (flags & DMA_MEMORY_MAP)
 		return DMA_MEMORY_MAP;
@@ -52,7 +54,7 @@ int dma_declare_coherent_memory(struct d
 	return DMA_MEMORY_IO;
 
  free1_out:
-	kfree(dev->dma_mem);
+	kfree(mem);
  out:
 	if (mem_base)
 		iounmap(mem_base);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ