lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240724105535.1524294-1-make24@iscas.ac.cn>
Date: Wed, 24 Jul 2024 18:55:35 +0800
From: Ma Ke <make24@...as.ac.cn>
To: jani.nikula@...ux.intel.com
Cc: airlied@...il.com,
	daniel@...ll.ch,
	dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	maarten.lankhorst@...ux.intel.com,
	make24@...as.ac.cn,
	mripard@...nel.org,
	noralf@...nnes.org,
	sam@...nborg.org,
	stable@...r.kernel.org,
	tzimmermann@...e.de
Subject: Re: [PATCH v3] drm/client: fix null pointer dereference in drm_client_modeset_probe

On Wed, 24 Jul 2024, Jani Nikula <jani.nikula@...ux.intel.com> wrote:
> On Wed, 24 Jul 2024, Ma Ke <make24@...as.ac.cn> wrote:
> > In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is
> > assigned to modeset->mode, which will lead to a possible NULL pointer
> > dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
> >
> > Cc: stable@...r.kernel.org
> > Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code")
> > Signed-off-by: Ma Ke <make24@...as.ac.cn>
> > ---
> > Changes in v3:
> > - modified patch as suggestions, returned error directly when failing to 
> > get modeset->mode.
> 
> This is not what I suggested, and you can't just return here either.
> 
> BR,
> Jani.
> 

I have carefully read through your comments. Based on your comments on the 
patchs I submitted, I am uncertain about the appropriate course of action 
following the return value check(whether to continue or to return directly,
as both are common approaches in dealing with function drm_mode_duplicate()
in Linux kernel, and such handling has received 'acked-by' in similar 
vulnerabilities). Could you provide some advice on this matter? Certainly, 
adding a return value check is essential, the reasons for which have been 
detailed in the vulnerability description. I am looking forward to your 
guidance and response. Thank you!

Best regards,

Ma Ke

> 
> > Changes in v2:
> > - added the recipient's email address, due to the prolonged absence of a 
> > response from the recipients.
> > - added Cc stable.
> > ---
> >  drivers/gpu/drm/drm_client_modeset.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
> > index 31af5cf37a09..750b8dce0f90 100644
> > --- a/drivers/gpu/drm/drm_client_modeset.c
> > +++ b/drivers/gpu/drm/drm_client_modeset.c
> > @@ -880,6 +880,9 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
> >  
> >  			kfree(modeset->mode);
> >  			modeset->mode = drm_mode_duplicate(dev, mode);
> > +			if (!modeset->mode)
> > +				return 0;
> > +
> >  			drm_connector_get(connector);
> >  			modeset->connectors[modeset->num_connectors++] = connector;
> >  			modeset->x = offset->x;
> 
> -- 
> Jani Nikula, Intel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ