lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sat, 9 Aug 2014 22:26:12 +0530
From:	Himangi Saraogi <himangi774@...il.com>
To:	Mike Turquette <mturquette@...aro.org>,
	linux-kernel@...r.kernel.org
Cc:	Julia Lawall <julia.lawall@...6.fr>
Subject: [PATCH] clk: st: remove null pointer dereference

If clk_data is NULL, it is not possible to access its clk_num field. So
if the NULL test succeeds the control sequence mush jump after the loop.
So, a new label is introduced and the labels are renamed to err0 and
err1. If clk_data is NULL, only parents need to be freed and hence the
goto now points to err0.

This problem was found using the following Coccinelle semantic match:

// <smpl>
@@
expression E, E1;
identifier f;
statement S1,S2,S3;
@@

* if (E == NULL)
{
  ... when != if (E == NULL) S1 else S2
      when != E = E1
* E->f
  ... when any
  return ...;
}
else S3
// </smpl>

Signed-off-by: Himangi Saraogi <himangi774@...il.com>
Acked-by: Julia Lawall <julia.lawall@...6.fr>
---
Not compile tested.
 drivers/clk/st/clkgen-mux.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/clk/st/clkgen-mux.c b/drivers/clk/st/clkgen-mux.c
index 79dc40b..385b3d0 100644
--- a/drivers/clk/st/clkgen-mux.c
+++ b/drivers/clk/st/clkgen-mux.c
@@ -723,14 +723,14 @@ void __init st_of_clkgen_vcc_setup(struct device_node *np)
 
 	clk_data = kzalloc(sizeof(*clk_data), GFP_KERNEL);
 	if (!clk_data)
-		goto err;
+		goto err0;
 
 	clk_data->clk_num = VCC_MAX_CHANNELS;
 	clk_data->clks = kzalloc(clk_data->clk_num * sizeof(struct clk *),
 				 GFP_KERNEL);
 
 	if (!clk_data->clks)
-		goto err;
+		goto err1;
 
 	for (i = 0; i < clk_data->clk_num; i++) {
 		struct clk *clk;
@@ -791,7 +791,7 @@ void __init st_of_clkgen_vcc_setup(struct device_node *np)
 			kfree(gate);
 			kfree(div);
 			kfree(mux);
-			goto err;
+			goto err1;
 		}
 
 		pr_debug("%s: parent %s rate %u\n",
@@ -807,7 +807,7 @@ void __init st_of_clkgen_vcc_setup(struct device_node *np)
 	of_clk_add_provider(np, of_clk_src_onecell_get, clk_data);
 	return;
 
-err:
+err1:
 	for (i = 0; i < clk_data->clk_num; i++) {
 		struct clk_composite *composite;
 
@@ -821,10 +821,11 @@ err:
 		kfree(container_of(composite->mux_hw, struct clk_mux, hw));
 	}
 
-	if (clk_data)
-		kfree(clk_data->clks);
+	kfree(clk_data->clks);
 
 	kfree(clk_data);
+
+err0:
 	kfree(parents);
 }
 CLK_OF_DECLARE(clkgen_vcc, "st,clkgen-vcc", st_of_clkgen_vcc_setup);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ