lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20171219164825.14642-1-colin.king@canonical.com>
Date:   Tue, 19 Dec 2017 16:48:25 +0000
From:   Colin King <colin.king@...onical.com>
To:     Mauro Carvalho Chehab <mchehab@...nel.org>,
        Sean Young <sean@...s.org>, linux-media@...r.kernel.org
Cc:     kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH][next] media: lirc: don't kfree the uninitialized pointer txbuf

From: Colin Ian King <colin.king@...onical.com>

The current error exit path if ir_raw_encode_scancode fails is via the
label out_kfree which kfree's an uninitialized pointer txbuf. Fix this
by exiting via a new exit path that does not kfree txbuf.  Also exit
via this new exit path for a failed allocation of txbuf to avoid a
redundant kfree on a NULL pointer (to save a bunch of CPU cycles).

Detected by: CoverityScan, CID#1463070 ("Uninitialized pointer read")

Fixes: f81a8158d4fb ("media: lirc: release lock before sleep")
Signed-off-by: Colin Ian King <colin.king@...onical.com>
---
 drivers/media/rc/lirc_dev.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index fae42f120aa4..62afa4493aea 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -295,14 +295,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 		ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
 					     raw, LIRCBUF_SIZE);
 		if (ret < 0)
-			goto out_kfree;
+			goto out_kfree_raw;
 
 		count = ret;
 
 		txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
 		if (!txbuf) {
 			ret = -ENOMEM;
-			goto out_kfree;
+			goto out_kfree_raw;
 		}
 
 		for (i = 0; i < count; i++)
@@ -366,6 +366,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 	return n;
 out_kfree:
 	kfree(txbuf);
+out_kfree_raw:
 	kfree(raw);
 out_unlock:
 	mutex_unlock(&dev->lock);
-- 
2.14.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ