| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Mar 2018 17:55:57 +0800
From: Jia-Ju Bai <baijiaju1990@...il.com>
To: Ji-Hun Kim <ji_hun.kim@...sung.com>, gregkh@...uxfoundation.org,
forest@...ttletooquiet.net
Cc: dartnorris@...il.com, santhameena13@...il.com,
julia.lawall@...6.fr, y.k.oh@...sung.com,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] staging: vt6655: check for memory allocation failures
On 2018/3/28 14:31, Ji-Hun Kim wrote:
> There are no null pointer checking on rd_info and td_info values which
> are allocated by kzalloc. It has potential null pointer dereferencing
> issues. Add return when allocation is failed.
>
> Signed-off-by: Ji-Hun Kim <ji_hun.kim@...sung.com>
> ---
> drivers/staging/vt6655/device_main.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
> index fbc4bc6..5d0ba94 100644
> --- a/drivers/staging/vt6655/device_main.c
> +++ b/drivers/staging/vt6655/device_main.c
> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
> i ++, curr += sizeof(struct vnt_rx_desc)) {
> desc = &priv->aRD0Ring[i];
> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->rd_info))
> + return;
> if (!device_alloc_rx_buf(priv, desc))
> dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");
>
> @@ -563,7 +564,8 @@ static void device_init_rd1_ring(struct vnt_private *priv)
> i ++, curr += sizeof(struct vnt_rx_desc)) {
> desc = &priv->aRD1Ring[i];
> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->rd_info))
> + return;
> if (!device_alloc_rx_buf(priv, desc))
> dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");
>
> @@ -621,7 +623,8 @@ static void device_init_td0_ring(struct vnt_private *priv)
> i++, curr += sizeof(struct vnt_tx_desc)) {
> desc = &priv->apTD0Rings[i];
> desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->td_info))
> + return;
> desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ;
> desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ;
>
> @@ -646,7 +649,8 @@ static void device_init_td1_ring(struct vnt_private *priv)
> i++, curr += sizeof(struct vnt_tx_desc)) {
> desc = &priv->apTD1Rings[i];
> desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->td_info))
> + return;
> desc->td_info->buf = priv->tx1_bufs + i * PKT_BUF_SZ;
> desc->td_info->buf_dma = priv->tx_bufs_dma1 + i * PKT_BUF_SZ;
>
I think the bugs you found are right.
But your patch is not correct, because it is dangerous to return directly.
I think you should return an error and then implement error handling
code for these functions.
Best wishes,
Jia-Ju Bai
Powered by blists - more mailing lists