Re: [PATCH] media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 28, 2022 at 12:32:30PM +0200, Laurent Pinchart wrote:
> Hi Greg,
> 
> On Fri, Jan 28, 2022 at 11:19:36AM +0100, Greg KH wrote:
> > On Tue, Jan 25, 2022 at 01:20:01AM +0800, Zhou Qingyang wrote:
> > > In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to fw and there
> > > is a dereference of it after that, which could lead to NULL pointer
> > > dereference on failure of devm_kzalloc().
> > > 
> > > Fix this bug by adding a NULL check of ctx->active_fmt.
> > > 
> > > This bug was found by a static analyzer.
> > > 
> > > Builds with 'make allyesconfig' show no new warnings,
> > > and our static analyzer no longer warns about this code.
> > > 
> > > Fixes: 7168155002cf ("media: ti-vpe: cal: Move format handling to cal.c and expose helpers")
> > > Signed-off-by: Zhou Qingyang <zhou1615@xxxxxxx>
> > > --
> > > The analysis employs differential checking to identify inconsistent 
> > > security operations (e.g., checks or kfrees) between two code paths 
> > > and confirms that the inconsistent operations are not recovered in the
> > > current function or the callers, so they constitute bugs. 
> > > 
> > > Note that, as a bug found by static analysis, it can be a false
> > > positive or hard to trigger. Multiple researchers have cross-reviewed
> > > the bug.
> > > 
> > >  drivers/media/platform/ti-vpe/cal-video.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/drivers/media/platform/ti-vpe/cal-video.c b/drivers/media/platform/ti-vpe/cal-video.c
> > > index 7799da1cc261..3e936a2ca36c 100644
> > > --- a/drivers/media/platform/ti-vpe/cal-video.c
> > > +++ b/drivers/media/platform/ti-vpe/cal-video.c
> > > @@ -823,6 +823,9 @@ static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx)
> > >  	/* Enumerate sub device formats and enable all matching local formats */
> > >  	ctx->active_fmt = devm_kcalloc(ctx->cal->dev, cal_num_formats,
> > >  				       sizeof(*ctx->active_fmt), GFP_KERNEL);
> > > +	if (!ctx->active_fmt)
> > > +		return -ENOMEM;
> > > +
> > >  	ctx->num_active_fmt = 0;
> > >  
> > >  	for (j = 0, i = 0; ; ++j) {
> > 
> > As stated before, umn.edu is still not allowed to contribute to the
> > Linux kernel.  Please work with your administration to resolve this
> > issue.
> 
> I thought this had been resolved, my bad. I can drop the patch, but it
> fixes a real bug (although unlikely). Should I re-author this fix ?

If you think it actually fixes something, and does not cause a leak,
yes, please re-author it and feel free to take it.

But be aware that other submissions in this "set" are incorrect, and the
process we were working on with umn.edu was totally ignored, so feel
free to just drop it if you don't want to worry about it.  Failures of
kcalloc are pretty much impossible to hit as we all know.

thanks,

greg k-h



[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux