On 2019-05-22 17:55:35, Jani Nikula wrote:
> On Wed, 22 May 2019, Gen Zhang <blackgod016574@xxxxxxxxx> wrote:
> > In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
> > is dereferenced in the following codes. However, memory allocation
> > functions such as kstrdup() may fail and returns NULL. Dereferencing
> > this null pointer may cause the kernel go wrong. Thus we should check
> > this kstrdup() operation.
> > Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
> > the caller site.
>
> strsep() handles the NULL pointer just fine, so there won't be a NULL
> dereference. However this patch seems like the right thing to do anyway.
I came across this thread while triaging CVE-2019-12382. I agree that
the code before was fine but more complex than necessary. There's no
real security impact here since a NULL pointer dereference was not
possible. I've requested that MITRE reject CVE-2019-12382.
This change is a nice improvement, though.
Tyler
>
> Reviewed-by: Jani Nikula <jani.nikula@xxxxxxxxx>
>
> >
> > Signed-off-by: Gen Zhang <blackgod016574@xxxxxxxxx>
> >
> > ---
> > diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
> > index a491509..a0e107a 100644
> > --- a/drivers/gpu/drm/drm_edid_load.c
> > +++ b/drivers/gpu/drm/drm_edid_load.c
> > @@ -290,6 +290,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
> > * the last one found one as a fallback.
> > */
> > fwstr = kstrdup(edid_firmware, GFP_KERNEL);
> > + if (!fwstr)
> > + return ERR_PTR(-ENOMEM);
> > edidstr = fwstr;
> >
> > while ((edidname = strsep(&edidstr, ","))) {
> > ---
> > _______________________________________________
> > dri-devel mailing list
> > dri-devel@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
> --
> Jani Nikula, Intel Open Source Graphics Center
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
