| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52202948.7010303@sonymobile.com>
Date: Thu, 29 Aug 2013 22:10:32 -0700
From: Frank Rowand <frank.rowand@...ymobile.com>
To: linus.walleij@...aro.org
CC: grant.likely@...aro.org, linux-gpio@...r.kernel.org,
linux-kernel@...r.kernel.org, tim.bird@...ymobile.com
Subject: [PATCH] gpio: null pointer dereference in error handling in gpiolib.c
Avoid calling desc_to_gpio() if desc->chip is NULL, as this will
cause a kernel panic.
In the code above the calls, there is a test for !chip, which
comes to the 'fail' label if true. In this case, the code
panics, since desc_to_gpio() uses desc->chip to look up the
gpio number.
An RFC patch that explained the cause of one example of panic when
desc->chip is NULL and fixed that example
(http://lkml.indiana.edu/hypermail/linux/kernel/1308.3/01473.html)
was accepted. This patch fixes the remaining locations which have
the same problem.
Signed-off-by: Frank Rowand <frank.rowand@...ymobile.com>
---
drivers/gpio/gpiolib.c | 33 24 + 9 - 0 !
1 file changed, 24 insertions(+), 9 deletions(-)
Index: b/drivers/gpio/gpiolib.c
===================================================================
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1676,9 +1676,14 @@ lose:
return status;
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
@@ -1745,9 +1750,14 @@ lose:
return status;
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
@@ -1795,9 +1805,14 @@ static int gpiod_set_debounce(struct gpi
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists