| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87jzhakfn7.fsf@intel.com>
Date: Wed, 24 Jul 2024 17:50:52 +0300
From: Jani Nikula <jani.nikula@...ux.intel.com>
To: Ma Ke <make24@...as.ac.cn>
Cc: airlied@...il.com, daniel@...ll.ch, dri-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org, maarten.lankhorst@...ux.intel.com,
make24@...as.ac.cn, mripard@...nel.org, noralf@...nnes.org,
sam@...nborg.org, stable@...r.kernel.org, tzimmermann@...e.de
Subject: Re: [PATCH v3] drm/client: fix null pointer dereference in
drm_client_modeset_probe
On Wed, 24 Jul 2024, Ma Ke <make24@...as.ac.cn> wrote:
> On Wed, 24 Jul 2024, Jani Nikula <jani.nikula@...ux.intel.com> wrote:
>> On Wed, 24 Jul 2024, Ma Ke <make24@...as.ac.cn> wrote:
>> > In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is
>> > assigned to modeset->mode, which will lead to a possible NULL pointer
>> > dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
>> >
>> > Cc: stable@...r.kernel.org
>> > Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code")
>> > Signed-off-by: Ma Ke <make24@...as.ac.cn>
>> > ---
>> > Changes in v3:
>> > - modified patch as suggestions, returned error directly when failing to
>> > get modeset->mode.
>>
>> This is not what I suggested, and you can't just return here either.
>>
>> BR,
>> Jani.
>>
>
> I have carefully read through your comments. Based on your comments on the
> patchs I submitted, I am uncertain about the appropriate course of action
> following the return value check(whether to continue or to return directly,
> as both are common approaches in dealing with function drm_mode_duplicate()
> in Linux kernel, and such handling has received 'acked-by' in similar
> vulnerabilities). Could you provide some advice on this matter? Certainly,
> adding a return value check is essential, the reasons for which have been
> detailed in the vulnerability description. I am looking forward to your
> guidance and response. Thank you!
Everything depends on the context. You can't just go ahead and do the
same thing everywhere. If you handle errors, even the highly unlikely
ones such as this one, you better do it properly.
If you continue here, you'll still leave modeset->mode NULL. And you
don't propagate the error. Something else is going to hit the issue
soon.
If you return directly, you'll leave holding a few locks, and leaking
memory.
There's already some error handling in the function, in the same loop
even. Set ret = -ENOMEM and break.
(However, you could still argue there's an existing problem in the error
handling in that all modeset->connectors aren't put and cleaned up.)
BR,
Jani.
>
> Best regards,
>
> Ma Ke
>
>>
>> > Changes in v2:
>> > - added the recipient's email address, due to the prolonged absence of a
>> > response from the recipients.
>> > - added Cc stable.
>> > ---
>> > drivers/gpu/drm/drm_client_modeset.c | 3 +++
>> > 1 file changed, 3 insertions(+)
>> >
>> > diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
>> > index 31af5cf37a09..750b8dce0f90 100644
>> > --- a/drivers/gpu/drm/drm_client_modeset.c
>> > +++ b/drivers/gpu/drm/drm_client_modeset.c
>> > @@ -880,6 +880,9 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
>> >
>> > kfree(modeset->mode);
>> > modeset->mode = drm_mode_duplicate(dev, mode);
>> > + if (!modeset->mode)
>> > + return 0;
>> > +
>> > drm_connector_get(connector);
>> > modeset->connectors[modeset->num_connectors++] = connector;
>> > modeset->x = offset->x;
>>
>> --
>> Jani Nikula, Intel
--
Jani Nikula, Intel
Powered by blists - more mailing lists