lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fc9d282d-e1ac-b99f-7ba0-77bb9c52cca4@amd.com>
Date:   Mon, 17 Apr 2023 16:42:30 +0200
From:   Christian König <christian.koenig@....com>
To:     Nikita Zhandarovich <n.zhandarovich@...tech.ru>,
        Alex Deucher <alexander.deucher@....com>
Cc:     "Pan, Xinhui" <Xinhui.Pan@....com>,
        David Airlie <airlied@...il.com>,
        Daniel Vetter <daniel@...ll.ch>,
        Jerome Glisse <jglisse@...hat.com>,
        amd-gfx@...ts.freedesktop.org, dri-devel@...ts.freedesktop.org,
        linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] drm/ttm: fix null-ptr-deref in radeon_ttm_tt_populate()



Am 17.04.23 um 16:34 schrieb Nikita Zhandarovich:
> Currently, drm_prime_sg_to_page_addr_arrays() dereferences 'gtt->ttm'
> without ensuring that 'gtt' (and therefore 'gtt->tmm') is not NULL.
>
> Fix this by testing 'gtt' for NULL value before dereferencing.
>
> Found by Linux Verification Center (linuxtesting.org) with static
> analysis tool SVACE.
>
> Fixes: 40f5cf996991 ("drm/radeon: add PRIME support (v2)")
> Signed-off-by: Nikita Zhandarovich <n.zhandarovich@...tech.ru>
> ---
>   drivers/gpu/drm/radeon/radeon_ttm.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
> index 1e8e287e113c..33d01c3bdee4 100644
> --- a/drivers/gpu/drm/radeon/radeon_ttm.c
> +++ b/drivers/gpu/drm/radeon/radeon_ttm.c
> @@ -553,7 +553,7 @@ static int radeon_ttm_tt_populate(struct ttm_device *bdev,
>   		return 0;
>   	}
>   
> -	if (slave && ttm->sg) {
> +	if (gtt && slave && ttm->sg) {

The gtt variable is derived from the ttm variable and so never NULL 
here. The only case when this can be NULL is for AGP and IIRC we don't 
support DMA-buf in this case.

>   		drm_prime_sg_to_dma_addr_array(ttm->sg, gtt->ttm.dma_address,

Just use ttm->dma_addresses instead of gtt->ttm.dma_address here to make 
your automated checker happy.

Regards,
Christian.

>   					       ttm->num_pages);
>   		return 0;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ