| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211214144613.35fec82a@coco.lan>
Date: Tue, 14 Dec 2021 14:46:13 +0100
From: Mauro Carvalho Chehab <mchehab@...nel.org>
To: Zhou Qingyang <zhou1615@....edu>
Cc: kjlu@....edu, Neil Armstrong <narmstrong@...libre.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Kevin Hilman <khilman@...libre.com>,
Jerome Brunet <jbrunet@...libre.com>,
Martin Blumenstingl <martin.blumenstingl@...glemail.com>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
Maxime Jourdan <mjourdan@...libre.com>,
linux-media@...r.kernel.org, linux-amlogic@...ts.infradead.org,
linux-staging@...ts.linux.dev,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] media: meson: vdec: Fix a NULL pointer dereference
in amvdec_add_ts()
Em Fri, 3 Dec 2021 00:03:57 +0800
Zhou Qingyang <zhou1615@....edu> escreveu:
> In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> to a NULL pointer dereference on failure of kzalloc().
>
> I fix this bug by adding a NULL check of new_ts.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> ---
> Changes in v2:
> - Delete dev_err() message
>
> drivers/staging/media/meson/vdec/vdec_helpers.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> index b9125c295d1d..ac60514c475b 100644
> --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> @@ -234,6 +234,9 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> unsigned long flags;
>
> new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> + if (!new_ts)
> + return;
> +
> new_ts->ts = ts;
> new_ts->tc = tc;
> new_ts->offset = offset;
I don't think this change is ok. Sure, it needs to check if
kzalloc() fails, but it should return -ENOMEM and the caller
should check if it returns an error. So, I would expect
that this patch would also touch the caller function at
drivers/staging/media/meson/vdec/esparser.c.
Regards,
Mauro
Thanks,
Mauro
Powered by blists - more mailing lists