On Wed, 24 Jul 2024, Jani Nikula <jani.nikula@xxxxxxxxxxxxxxx> wrote:
> On Wed, 24 Jul 2024, Ma Ke <make24@xxxxxxxxxxx> wrote:
> > In drm_client_modeset_probe(), the return value of drm_mode_duplicate() is
> > assigned to modeset->mode, which will lead to a possible NULL pointer
> > dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: cf13909aee05 ("drm/fb-helper: Move out modeset config code")
> > Signed-off-by: Ma Ke <make24@xxxxxxxxxxx>
> > ---
> > Changes in v3:
> > - modified patch as suggestions, returned error directly when failing to
> > get modeset->mode.
>
> This is not what I suggested, and you can't just return here either.
>
> BR,
> Jani.
>
I have carefully read through your comments. Based on your comments on the
patchs I submitted, I am uncertain about the appropriate course of action
following the return value check(whether to continue or to return directly,
as both are common approaches in dealing with function drm_mode_duplicate()
in Linux kernel, and such handling has received 'acked-by' in similar
vulnerabilities). Could you provide some advice on this matter? Certainly,
adding a return value check is essential, the reasons for which have been
detailed in the vulnerability description. I am looking forward to your
guidance and response. Thank you!
Best regards,
Ma Ke
>
> > Changes in v2:
> > - added the recipient's email address, due to the prolonged absence of a
> > response from the recipients.
> > - added Cc stable.
> > ---
> > drivers/gpu/drm/drm_client_modeset.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c
> > index 31af5cf37a09..750b8dce0f90 100644
> > --- a/drivers/gpu/drm/drm_client_modeset.c
> > +++ b/drivers/gpu/drm/drm_client_modeset.c
> > @@ -880,6 +880,9 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width,
> >
> > kfree(modeset->mode);
> > modeset->mode = drm_mode_duplicate(dev, mode);
> > + if (!modeset->mode)
> > + return 0;
> > +
> > drm_connector_get(connector);
> > modeset->connectors[modeset->num_connectors++] = connector;
> > modeset->x = offset->x;
>
> --
> Jani Nikula, Intel
