| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220401213114.11956-1-paskripkin@gmail.com>
Date: Sat, 2 Apr 2022 00:31:14 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: sumit.semwal@...aro.org, gustavo@...ovan.org,
christian.koenig@....com, daniel.vetter@...ll.ch
Cc: linux-media@...r.kernel.org, dri-devel@...ts.freedesktop.org,
linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org,
Pavel Skripkin <paskripkin@...il.com>
Subject: [PATCH next v2] dma-buf/sync-file: do not allow zero size allocation
num_fences is user-controlled value and it can be equal to 0. Code
should not pass 0 to kcalloc(), since it will cause kcalloc() to return
ZERO_PTR. ZERO_PTR will pass `!fences` check and kernel will panic
because of dereferencing ZERO_PTR in add_fence()
Fix it by validating num_fences and bail out early if it is equal to 0
Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers")
Signed-off-by: Pavel Skripkin <paskripkin@...il.com>
---
Changes since v1:
- Dropped already merged part
- Removed syzkaller's tag
---
drivers/dma-buf/sync_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma-buf/sync_file.c b/drivers/dma-buf/sync_file.c
index b8dea4ec123b..024f22193e0c 100644
--- a/drivers/dma-buf/sync_file.c
+++ b/drivers/dma-buf/sync_file.c
@@ -212,7 +212,7 @@ static struct sync_file *sync_file_merge(const char *name, struct sync_file *a,
dma_fence_unwrap_for_each(b_fence, &b_iter, b->fence)
++num_fences;
- if (num_fences > INT_MAX)
+ if (num_fences > INT_MAX || !num_fences)
goto err_free_sync_file;
fences = kcalloc(num_fences, sizeof(*fences), GFP_KERNEL);
--
2.35.1
Powered by blists - more mailing lists