Laurent Pinchart wrote:
> On Monday 31 August 2009 15:19:32 Mauro Carvalho Chehab wrote:
>> Em Mon, 31 Aug 2009 08:52:38 +0200
>>
>> Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx> escreveu:
>>>> - dereferencing a NULL pointer is not always result segfault, see [1]
>>>> and [2]. So dereferencing a NULL pointer can be treated also as a
>>>> security risk.
>> From kernelspace drivers POV, any calls sending a NULL pointer should
>> result in an error as soon as possible, to avoid any security risks.
>> Currently, this check is left to the driver, but we should consider
>> implementing such control globally, at video_ioctl2 and at compat32 layer.
>>
>> IMHO, libv4l should mimic the driver behavior of returning an error instead
>> of letting the application to segfault, since, on some critical
>> applications, like video-surveillance security systems, a segfault could be
>> very bad.
>
> And uncaught errors would be even better. A segfault will be noticed right
> away, while an unhandled error code might slip through to the released
> software. If a security-sensitive application passes a NULL pointer where it
> shouldn't I'd rather see the development machine burst into flames instead of
> silently ignoring the problem.
I have an example. Let's imagine the following code:
struct v4l2_capability* cap;
cap = malloc(sizeof(*cap));
ret = ioctl(f, VIDIOC_QUERYCAP, cap);
if (ret == -1) {
/* error handling */
}
Does this code contain implementation problem? Yes, the value of cap should
be checked whether it is NULL or not.
Will this code cause problem? Most of the time not, only in case of low
memory condition, thus this implementation problem will usually not detected
if the ioctl() caused segfault on NULL pointers.
One more thing I would like to mention on this topic. This is coming from
the C language which does not contain structured exception handling as for
example Java has with its exception handling capability. The usual way to
signal errors is through the return value. This is what a C programmer learns
and this is what she or he expects. The signals as segfault is out of the
scope of the C language.
Regards,
Márton Németh
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
