| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240724105535.1524294-1-make24@iscas.ac.cn>
Date: Wed, 24 Jul 2024 18:55:35 +0800
From: Ma Ke <make24@...as.ac.cn>
To: jani.nikula@...ux.intel.com
Cc: airlied@...il.com,
daniel@...ll.ch,
dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org,
maarten.lankhorst@...ux.intel.com,
make24@...as.ac.cn,
mripard@...nel.org,
noralf@...nnes.org,
sam@...nborg.org,
stable@...r.kernel.org,
tzimmermann@...e.de
Subject: Re: [PATCH v3] drm/client: fix null pointer dereference in drm_client_modeset_probe
On Wed, 24 Jul 2024, Jani Nikula <jani.nikula@...ux.intel.com> wrote:
> On Wed, 24 Jul 2024, Ma Ke <make24@...as.ac.cn> wrote:
> > In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is
> > assigned to modeset->mode, which will lead to a possible NULL pointer
> > dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
> >
> > Cc: stable@...r.kernel.org
> > Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code")
> > Signed-off-by: Ma Ke <make24@...as.ac.cn>
> > ---
> > Changes in v3:
> > - modified patch as suggestions, returned error directly when failing to
> > get modeset->mode.
>
> This is not what I suggested, and you can't just return here either.
>
> BR,
> Jani.
>
I have carefully read through your comments. Based on your comments on the
patchs I submitted, I am uncertain about the appropriate course of action
following the return value check(whether to continue or to return directly,
as both are common approaches in dealing with function drm_mode_duplicate()
in Linux kernel, and such handling has received 'acked-by' in similar
vulnerabilities). Could you provide some advice on this matter? Certainly,
adding a return value check is essential, the reasons for which have been
detailed in the vulnerability description. I am looking forward to your
guidance and response. Thank you!
Best regards,
Ma Ke
>
> > Changes in v2:
> > - added the recipient's email address, due to the prolonged absence of a
> > response from the recipients.
> > - added Cc stable.
> > ---
> > drivers/gpu/drm/drm_client_modeset.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
> > index 31af5cf37a09..750b8dce0f90 100644
> > --- a/drivers/gpu/drm/drm_client_modeset.c
> > +++ b/drivers/gpu/drm/drm_client_modeset.c
> > @@ -880,6 +880,9 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
> >
> > kfree(modeset->mode);
> > modeset->mode = drm_mode_duplicate(dev, mode);
> > + if (!modeset->mode)
> > + return 0;
> > +
> > drm_connector_get(connector);
> > modeset->connectors[modeset->num_connectors++] = connector;
> > modeset->x = offset->x;
>
> --
> Jani Nikula, Intel
Powered by blists - more mailing lists