lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190608162127.GA11699@kroah.com>
Date:   Sat, 8 Jun 2019 18:21:27 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Gen Zhang <blackgod016574@...il.com>
Cc:     jslaby@...e.com, nico@...xnic.net, kilobyte@...band.pl,
        textshell@...uujin.de, mpatocka@...hat.com, daniel.vetter@...ll.ch,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] vt: Fix a missing-check bug in con_init()

On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote:
> On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> > In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> > vc->vc_screenbuf is allocated by kzalloc(). And they are used in the 
> > following codes. However, kzalloc() returns NULL when fails, and null 
> > pointer dereference may happen. And it will cause the kernel to crash. 
> > Therefore, we should check the return value and handle the error.
> > 
> > Further, since the allcoation is in a loop, we should free all the 
> > allocated memory in a loop.
> > 
> > Signed-off-by: Gen Zhang <blackgod016574@...il.com>
> > Reviewed-by: Nicolas Pitre <nico@...xnic.net>
> > ---
> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index fdd12f8..d50f68f 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -3350,10 +3350,14 @@ static int __init con_init(void)
> >  
> >  	for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) {
> >  		vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT);
> > +		if (!vc)
> > +			goto fail1;
> >  		INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
> >  		tty_port_init(&vc->port);
> >  		visual_init(vc, currcons, 1);
> >  		vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT);
> > +		if (!vc->vc_screenbuf)
> > +			goto fail2;
> >  		vc_init(vc, vc->vc_rows, vc->vc_cols,
> >  			currcons || !vc->vc_sw->con_save_screen);
> >  	}
> > @@ -3375,6 +3379,16 @@ static int __init con_init(void)
> >  	register_console(&vt_console_driver);
> >  #endif
> >  	return 0;
> > +fail1:
> > +	while (currcons > 0) {
> > +		currcons--;
> > +		kfree(vc_cons[currcons].d->vc_screenbuf);
> > +fail2:
> > +		kfree(vc_cons[currcons].d);
> > +		vc_cons[currcons].d = NULL;
> > +	}
> > +	console_unlock();
> > +	return -ENOMEM;
> >  }
> >  console_initcall(con_init);
> >  
> > ---
> Can anyone look into this patch? It's already reviewed by Nicolas Pitre
> <nico@...xnic.net>.

It's in my queue.  But note, given the previous history of your patches,
it's really low on my piority list at the moment :(

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ