lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YfPN6u4LGufH2gLe@kroah.com>
Date:   Fri, 28 Jan 2022 12:05:14 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc:     Zhou Qingyang <zhou1615@....edu>, kjlu@....edu,
        Benoit Parrot <bparrot@...com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Hans Verkuil <hverkuil-cisco@...all.nl>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: ti-vpe: cal: Fix a NULL pointer dereference in
 cal_ctx_v4l2_init_formats()

On Fri, Jan 28, 2022 at 12:32:30PM +0200, Laurent Pinchart wrote:
> Hi Greg,
> 
> On Fri, Jan 28, 2022 at 11:19:36AM +0100, Greg KH wrote:
> > On Tue, Jan 25, 2022 at 01:20:01AM +0800, Zhou Qingyang wrote:
> > > In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to fw and there
> > > is a dereference of it after that, which could lead to NULL pointer
> > > dereference on failure of devm_kzalloc().
> > > 
> > > Fix this bug by adding a NULL check of ctx->active_fmt.
> > > 
> > > This bug was found by a static analyzer.
> > > 
> > > Builds with 'make allyesconfig' show no new warnings,
> > > and our static analyzer no longer warns about this code.
> > > 
> > > Fixes: 7168155002cf ("media: ti-vpe: cal: Move format handling to cal.c and expose helpers")
> > > Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> > > --
> > > The analysis employs differential checking to identify inconsistent 
> > > security operations (e.g., checks or kfrees) between two code paths 
> > > and confirms that the inconsistent operations are not recovered in the
> > > current function or the callers, so they constitute bugs. 
> > > 
> > > Note that, as a bug found by static analysis, it can be a false
> > > positive or hard to trigger. Multiple researchers have cross-reviewed
> > > the bug.
> > > 
> > >  drivers/media/platform/ti-vpe/cal-video.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/drivers/media/platform/ti-vpe/cal-video.c b/drivers/media/platform/ti-vpe/cal-video.c
> > > index 7799da1cc261..3e936a2ca36c 100644
> > > --- a/drivers/media/platform/ti-vpe/cal-video.c
> > > +++ b/drivers/media/platform/ti-vpe/cal-video.c
> > > @@ -823,6 +823,9 @@ static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx)
> > >  	/* Enumerate sub device formats and enable all matching local formats */
> > >  	ctx->active_fmt = devm_kcalloc(ctx->cal->dev, cal_num_formats,
> > >  				       sizeof(*ctx->active_fmt), GFP_KERNEL);
> > > +	if (!ctx->active_fmt)
> > > +		return -ENOMEM;
> > > +
> > >  	ctx->num_active_fmt = 0;
> > >  
> > >  	for (j = 0, i = 0; ; ++j) {
> > 
> > As stated before, umn.edu is still not allowed to contribute to the
> > Linux kernel.  Please work with your administration to resolve this
> > issue.
> 
> I thought this had been resolved, my bad. I can drop the patch, but it
> fixes a real bug (although unlikely). Should I re-author this fix ?

If you think it actually fixes something, and does not cause a leak,
yes, please re-author it and feel free to take it.

But be aware that other submissions in this "set" are incorrect, and the
process we were working on with umn.edu was totally ignored, so feel
free to just drop it if you don't want to worry about it.  Failures of
kcalloc are pretty much impossible to hit as we all know.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ