lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4CBBF407.7060705@bfs.de>
Date:	Mon, 18 Oct 2010 09:15:19 +0200
From:	walter harms <wharms@....de>
To:	Julia Lawall <julia@...u.dk>
CC:	kernel-janitors@...r.kernel.org, devel@...verdev.osuosl.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] drivers/staging/cx25821: Use kasprintf



Julia Lawall schrieb:
> Rewrite the initialization of a dev field.  In the original code, in each
> case there was a kmalloc followed by a memcpy, as illustrated by the
> semantic patch below.  In the case that the provided string was the empty
> string, the allocated memory was then overwritten with a constant string,
> causing a memory leak.  Finally, there was no provision for returning
> -ENOMEM in case of failure of the memory allocation.  Indeed, the return
> value in an error case was err, a variable that was never initialized to
> anything other than 0.
> 
> The following patch rewrites the above code to first select a string based
> on various conditions, and then to copy it into a newly allocated memory
> region, using kasprintf.  This decreases subtantially the code size
> and removes the memory leak.  The instruction for getting the length of the
> string and the associated variable declaration are also deleted.
> 
> The patch also drops err, changes the return value to retval, which in each
> file was already initialized elsewhere to an error code, and initializes
> retval to -ENOMEM when kasprintf fails.
> 
> The semantic patch that motivated this transformation is:
> (http://coccinelle.lip6.fr/)
> 
> // <smpl>
> @@
> expression a,flag,len;
> expression arg,e1,e2;
> statement S;
> @@
> 
>   len = strlen(arg)
>   ... when != len = e1
>       when != arg = e2
>   a =
> -  \(kmalloc\|kzalloc\)(len+1,flag)
> +  kasprintf(flag,"%s",arg)
>   <... when != a
>   if (a == NULL || ...) S
>   ...>
> - memcpy(a,arg,len+1);
> // </smpl>
> 
> Signed-off-by: Julia Lawall <julia@...u.dk>
> 
> ---
> This patch makes quite a lot of changes and is only compile tested.
> 
>  drivers/staging/cx25821/cx25821-audio-upstream.c     |   36 +++---------
>  drivers/staging/cx25821/cx25821-video-upstream-ch2.c |   57 +++++++------------
>  drivers/staging/cx25821/cx25821-video-upstream.c     |   56 +++++++-----------
>  3 files changed, 56 insertions(+), 93 deletions(-)
> 
> diff --git a/drivers/staging/cx25821/cx25821-audio-upstream.c b/drivers/staging/cx25821/cx25821-audio-upstream.c
> index 27087db..a8f6343 100644
> --- a/drivers/staging/cx25821/cx25821-audio-upstream.c
> +++ b/drivers/staging/cx25821/cx25821-audio-upstream.c
> @@ -723,8 +723,7 @@ int cx25821_audio_upstream_init(struct cx25821_dev *dev, int channel_select)
>  {
>  	struct sram_channel *sram_ch;
>  	int retval = 0;
> -	int err = 0;
> -	int str_length = 0;
> +	char *filename;
>  
>  	if (dev->_audio_is_running) {
>  		printk(KERN_WARNING "Audio Channel is still running so return!\n");
> @@ -752,28 +751,15 @@ int cx25821_audio_upstream_init(struct cx25821_dev *dev, int channel_select)
>  	dev->_audio_lines_count = LINES_PER_AUDIO_BUFFER;
>  	_line_size = AUDIO_LINE_SIZE;
>  
> -	if (dev->input_audiofilename) {
> -		str_length = strlen(dev->input_audiofilename);
> -		dev->_audiofilename = kmalloc(str_length + 1, GFP_KERNEL);
> -
> -		if (!dev->_audiofilename)
> -			goto error;
> -
> -		memcpy(dev->_audiofilename, dev->input_audiofilename,
> -		       str_length + 1);
> -
> -		/* Default if filename is empty string */
> -		if (strcmp(dev->input_audiofilename, "") == 0)
> -			dev->_audiofilename = "/root/audioGOOD.wav";
> -
> -	} else {
> -		str_length = strlen(_defaultAudioName);
> -		dev->_audiofilename = kmalloc(str_length + 1, GFP_KERNEL);
> -
> -		if (!dev->_audiofilename)
> -			goto error;
> -
> -		memcpy(dev->_audiofilename, _defaultAudioName, str_length + 1);
> +	if (dev->input_audiofilename &&
> +	    strcmp(dev->input_audiofilename, "") != 0)
> +		filename = dev->input_audiofilename;
> +	else
> +		filename = _defaultAudioName;
> +	dev->_audiofilename = kasprintf(GFP_KERNEL, "%s", filename);
> +	if (!dev->_audiofilename) {
> +		retval = -ENOMEM;
> +		goto error;
>  	}
>

Is filename needed here at all ?
The if statement looks strange this looks more familar to me:
if (!dev->input_audiofilename || *dev->input_audiofilename==0)
	filename = _defaultAudioName;
else
	filename = dev->input_audiofilename;

re
 wh


>  	retval =
> @@ -802,5 +788,5 @@ int cx25821_audio_upstream_init(struct cx25821_dev *dev, int channel_select)
>  error:
>  	cx25821_dev_unregister(dev);
>  
> -	return err;
> +	return retval;
>  }
> diff --git a/drivers/staging/cx25821/cx25821-video-upstream-ch2.c b/drivers/staging/cx25821/cx25821-video-upstream-ch2.c
> index d12dbb5..531e0c4 100644
> --- a/drivers/staging/cx25821/cx25821-video-upstream-ch2.c
> +++ b/drivers/staging/cx25821/cx25821-video-upstream-ch2.c
> @@ -747,10 +747,9 @@ int cx25821_vidupstream_init_ch2(struct cx25821_dev *dev, int channel_select,
>  	struct sram_channel *sram_ch;
>  	u32 tmp;
>  	int retval = 0;
> -	int err = 0;
>  	int data_frame_size = 0;
>  	int risc_buffer_size = 0;
> -	int str_length = 0;
> +	char *filename;
>  
>  	if (dev->_is_running_ch2) {
>  		printk("Video Channel is still running so return!\n");
> @@ -789,38 +788,26 @@ int cx25821_vidupstream_init_ch2(struct cx25821_dev *dev, int channel_select,
>  	    dev->_isNTSC_ch2 ? NTSC_RISC_BUF_SIZE : PAL_RISC_BUF_SIZE;
>  
>  	if (dev->input_filename_ch2) {
> -		str_length = strlen(dev->input_filename_ch2);
> -		dev->_filename_ch2 = kmalloc(str_length + 1, GFP_KERNEL);
> -
> -		if (!dev->_filename_ch2)
> -			goto error;
> -
> -		memcpy(dev->_filename_ch2, dev->input_filename_ch2,
> -		       str_length + 1);
> -	} else {
> -		str_length = strlen(dev->_defaultname_ch2);
> -		dev->_filename_ch2 = kmalloc(str_length + 1, GFP_KERNEL);
> -
> -		if (!dev->_filename_ch2)
> -			goto error;
> -
> -		memcpy(dev->_filename_ch2, dev->_defaultname_ch2,
> -		       str_length + 1);
> -	}
> -
> -       /* Default if filename is empty string */
> -	if (strcmp(dev->input_filename_ch2, "") == 0) {
> -		if (dev->_isNTSC_ch2) {
> -			dev->_filename_ch2 =
> -			    (dev->_pixel_format_ch2 ==
> -			     PIXEL_FRMT_411) ? "/root/vid411.yuv" :
> -			    "/root/vidtest.yuv";
> -		} else {
> -			dev->_filename_ch2 =
> -			    (dev->_pixel_format_ch2 ==
> -			     PIXEL_FRMT_411) ? "/root/pal411.yuv" :
> -			    "/root/pal422.yuv";
> -		}
> +		/* Default if filename is empty string */
> +		if (strcmp(dev->input_filename_ch2, "") == 0) {
> +			if (dev->_isNTSC_ch2)
> +				filename =
> +					(dev->_pixel_format_ch2 ==
> +					PIXEL_FRMT_411) ? "/root/vid411.yuv" :
> +					"/root/vidtest.yuv";
> +			else
> +				filename =
> +					(dev->_pixel_format_ch2 ==
> +					PIXEL_FRMT_411) ? "/root/pal411.yuv" :
> +					"/root/pal422.yuv";
> +		} else
> +			filename = dev->input_filename_ch2;
> +	} else
> +		filename = dev->_defaultname_ch2;
> +	dev->_filename_ch2 = kasprintf(GFP_KERNEL, "%s", filename);
> +	if (!dev->_filename_ch2) {
> +		retval = -ENOMEM;
> +		goto error;
>  	}
>  
>  	retval =
> @@ -851,5 +838,5 @@ int cx25821_vidupstream_init_ch2(struct cx25821_dev *dev, int channel_select,
>        error:
>  	cx25821_dev_unregister(dev);
>  
> -	return err;
> +	return retval;
>  }
> diff --git a/drivers/staging/cx25821/cx25821-video-upstream.c b/drivers/staging/cx25821/cx25821-video-upstream.c
> index 756a820..040f795 100644
> --- a/drivers/staging/cx25821/cx25821-video-upstream.c
> +++ b/drivers/staging/cx25821/cx25821-video-upstream.c
> @@ -800,10 +800,9 @@ int cx25821_vidupstream_init_ch1(struct cx25821_dev *dev, int channel_select,
>  	struct sram_channel *sram_ch;
>  	u32 tmp;
>  	int retval = 0;
> -	int err = 0;
>  	int data_frame_size = 0;
>  	int risc_buffer_size = 0;
> -	int str_length = 0;
> +	char *filename;
>  
>  	if (dev->_is_running) {
>  		printk(KERN_INFO "Video Channel is still running so return!\n");
> @@ -841,36 +840,27 @@ int cx25821_vidupstream_init_ch1(struct cx25821_dev *dev, int channel_select,
>  	    dev->_isNTSC ? NTSC_RISC_BUF_SIZE : PAL_RISC_BUF_SIZE;
>  
>  	if (dev->input_filename) {
> -		str_length = strlen(dev->input_filename);
> -		dev->_filename = kmalloc(str_length + 1, GFP_KERNEL);
> -
> -		if (!dev->_filename)
> -			goto error;
> -
> -		memcpy(dev->_filename, dev->input_filename, str_length + 1);
> -	} else {
> -		str_length = strlen(dev->_defaultname);
> -		dev->_filename = kmalloc(str_length + 1, GFP_KERNEL);
> -
> -		if (!dev->_filename)
> -			goto error;
> -
> -		memcpy(dev->_filename, dev->_defaultname, str_length + 1);
> -	}
> -
> -	/* Default if filename is empty string */
> -	if (strcmp(dev->input_filename, "") == 0) {
> -		if (dev->_isNTSC) {
> -			dev->_filename =
> -			    (dev->_pixel_format ==
> -			     PIXEL_FRMT_411) ? "/root/vid411.yuv" :
> -			    "/root/vidtest.yuv";
> -		} else {
> -			dev->_filename =
> -			    (dev->_pixel_format ==
> -			     PIXEL_FRMT_411) ? "/root/pal411.yuv" :
> -			    "/root/pal422.yuv";
> -		}
> +		/* Default if filename is empty string */
> +		if (strcmp(dev->input_filename, "") == 0) {
> +			if (dev->_isNTSC)
> +				filename =
> +					(dev->_pixel_format ==
> +					PIXEL_FRMT_411) ? "/root/vid411.yuv" :
> +					"/root/vidtest.yuv";
> +			else
> +				filename =
> +					(dev->_pixel_format ==
> +					PIXEL_FRMT_411) ? "/root/pal411.yuv" :
> +					"/root/pal422.yuv";
> +		} else
> +			filename = dev->input_filename;
> +	} else
> +		filename = dev->_defaultname;
> +
> +	dev->_filename = kasprintf(GFP_KERNEL, "%s", filename);
> +	if (!dev->_filename) {
> +		retval = -ENOMEM;
> +		goto error;
>  	}
>  
>  	dev->_is_running = 0;
> @@ -908,5 +898,5 @@ int cx25821_vidupstream_init_ch1(struct cx25821_dev *dev, int channel_select,
>  error:
>  	cx25821_dev_unregister(dev);
>  
> -	return err;
> +	return retval;
>  }
> 
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ