2019-01-30 09:52:08

by Johan Hovold

[permalink] [raw]
Subject: [PATCH] staging: speakup: fix tty-operation NULL derefs

The send_xchar() and tiocmset() tty operations are optional. Add the
missing sanity checks to prevent user-space triggerable NULL-pointer
dereferences.

Fixes: 6b9ad1c742bf ("staging: speakup: add send_xchar, tiocmset and input functionality for tty")
Cc: stable <[email protected]> # 4.13
Cc: Okash Khawaja <[email protected]>
Cc: Samuel Thibault <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/staging/speakup/spk_ttyio.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/speakup/spk_ttyio.c b/drivers/staging/speakup/spk_ttyio.c
index c92bbd05516e..005de0024dd4 100644
--- a/drivers/staging/speakup/spk_ttyio.c
+++ b/drivers/staging/speakup/spk_ttyio.c
@@ -265,7 +265,8 @@ static void spk_ttyio_send_xchar(char ch)
return;
}

- speakup_tty->ops->send_xchar(speakup_tty, ch);
+ if (speakup_tty->ops->send_xchar)
+ speakup_tty->ops->send_xchar(speakup_tty, ch);
mutex_unlock(&speakup_tty_mutex);
}

@@ -277,7 +278,8 @@ static void spk_ttyio_tiocmset(unsigned int set, unsigned int clear)
return;
}

- speakup_tty->ops->tiocmset(speakup_tty, set, clear);
+ if (speakup_tty->ops->tiocmset)
+ speakup_tty->ops->tiocmset(speakup_tty, set, clear);
mutex_unlock(&speakup_tty_mutex);
}

--
2.20.1



2019-01-30 09:55:21

by Samuel Thibault

[permalink] [raw]
Subject: Re: [PATCH] staging: speakup: fix tty-operation NULL derefs

Johan Hovold, le mer. 30 janv. 2019 10:49:34 +0100, a ecrit:
> The send_xchar() and tiocmset() tty operations are optional. Add the
> missing sanity checks to prevent user-space triggerable NULL-pointer
> dereferences.
>
> Fixes: 6b9ad1c742bf ("staging: speakup: add send_xchar, tiocmset and input functionality for tty")
> Cc: stable <[email protected]> # 4.13
> Cc: Okash Khawaja <[email protected]>
> Cc: Samuel Thibault <[email protected]>
> Signed-off-by: Johan Hovold <[email protected]>

Indeed.

Reviewed-by: Samuel Thibault <[email protected]>

> ---
> drivers/staging/speakup/spk_ttyio.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/speakup/spk_ttyio.c b/drivers/staging/speakup/spk_ttyio.c
> index c92bbd05516e..005de0024dd4 100644
> --- a/drivers/staging/speakup/spk_ttyio.c
> +++ b/drivers/staging/speakup/spk_ttyio.c
> @@ -265,7 +265,8 @@ static void spk_ttyio_send_xchar(char ch)
> return;
> }
>
> - speakup_tty->ops->send_xchar(speakup_tty, ch);
> + if (speakup_tty->ops->send_xchar)
> + speakup_tty->ops->send_xchar(speakup_tty, ch);
> mutex_unlock(&speakup_tty_mutex);
> }
>
> @@ -277,7 +278,8 @@ static void spk_ttyio_tiocmset(unsigned int set, unsigned int clear)
> return;
> }
>
> - speakup_tty->ops->tiocmset(speakup_tty, set, clear);
> + if (speakup_tty->ops->tiocmset)
> + speakup_tty->ops->tiocmset(speakup_tty, set, clear);
> mutex_unlock(&speakup_tty_mutex);
> }
>
> --
> 2.20.1
>

--
Samuel
R: Parce que ça renverse bêtement l'ordre naturel de lecture!
Q: Mais pourquoi citer en fin d'article est-il si effroyable?
R: Citer en fin d'article
Q: Quelle est la chose la plus désagréable sur les groupes de news?