lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 May 2019 10:27:52 +0800 From: Gen Zhang <blackgod016574@...il.com> To: jslaby@...e.com Cc: mpatocka@...hat.com, linux-kernel@...r.kernel.org Subject: [PATCH v3] vt: Fix a missing-check bug in con_init() In function con_init(), the pointer variable vc_cons[currcons].d, vc and vc->vc_screenbuf is allocated a memory space via kzalloc(). And they are used in the following codes. However, when there is a memory allocation error, kzalloc() can fail. Thus null pointer (vc_cons[currcons].d, vc and vc->vc_screenbuf) dereference may happen. And it will cause the kernel to crash. Therefore, we should check return value and handle the error. Further, since the allcoation is in a loop, we should free all the allocated memory in a loop. Signed-off-by: Gen Zhang <blackgod016574@...il.com> Reviewed-by: Nicolas Pitre <nico@...xnic.net> --- diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index fdd12f8..d50f68f 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3350,10 +3350,14 @@ static int __init con_init(void) for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT); + if (!vc) + goto fail1; INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); tty_port_init(&vc->port); visual_init(vc, currcons, 1); vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); + if (!vc->vc_screenbuf) + goto fail2; vc_init(vc, vc->vc_rows, vc->vc_cols, currcons || !vc->vc_sw->con_save_screen); } @@ -3375,6 +3379,16 @@ static int __init con_init(void) register_console(&vt_console_driver); #endif return 0; +fail1: + while (currcons > 0) { + currcons--; + kfree(vc_cons[currcons].d->vc_screenbuf); +fail2: + kfree(vc_cons[currcons].d); + vc_cons[currcons].d = NULL; + } + console_unlock(); + return -ENOMEM; } console_initcall(con_init); ---
Powered by blists - more mailing lists