In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
is dereferenced in the following codes. However, memory allocation
functions such as kstrdup() may fail and returns NULL. Dereferencing
this null pointer may cause the kernel go wrong. Thus we should check
this kstrdup() operation.
Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
the caller site.
Signed-off-by: Gen Zhang <[email protected]>
---
diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
index a491509..a0e107a 100644
--- a/drivers/gpu/drm/drm_edid_load.c
+++ b/drivers/gpu/drm/drm_edid_load.c
@@ -290,6 +290,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
* the last one found one as a fallback.
*/
fwstr = kstrdup(edid_firmware, GFP_KERNEL);
+ if (!fwstr)
+ return ERR_PTR(-ENOMEM);
edidstr = fwstr;
while ((edidname = strsep(&edidstr, ","))) {
---
On Wed, 22 May 2019, Gen Zhang <[email protected]> wrote:
> In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
> is dereferenced in the following codes. However, memory allocation
> functions such as kstrdup() may fail and returns NULL. Dereferencing
> this null pointer may cause the kernel go wrong. Thus we should check
> this kstrdup() operation.
> Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
> the caller site.
strsep() handles the NULL pointer just fine, so there won't be a NULL
dereference. However this patch seems like the right thing to do anyway.
Reviewed-by: Jani Nikula <[email protected]>
>
> Signed-off-by: Gen Zhang <[email protected]>
>
> ---
> diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
> index a491509..a0e107a 100644
> --- a/drivers/gpu/drm/drm_edid_load.c
> +++ b/drivers/gpu/drm/drm_edid_load.c
> @@ -290,6 +290,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
> * the last one found one as a fallback.
> */
> fwstr = kstrdup(edid_firmware, GFP_KERNEL);
> + if (!fwstr)
> + return ERR_PTR(-ENOMEM);
> edidstr = fwstr;
>
> while ((edidname = strsep(&edidstr, ","))) {
> ---
> _______________________________________________
> dri-devel mailing list
> [email protected]
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
--
Jani Nikula, Intel Open Source Graphics Center
In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
is dereferenced in the following codes. However, memory allocation
functions such as kstrdup() may fail and returns NULL. Dereferencing
this null pointer may cause the kernel go wrong. Thus we should check
this kstrdup() operation.
Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
the caller site.
Signed-off-by: Gen Zhang <[email protected]>
Reviewed-by: Jani Nikula <[email protected]>
---
diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
index a491509..a0e107a 100644
--- a/drivers/gpu/drm/drm_edid_load.c
+++ b/drivers/gpu/drm/drm_edid_load.c
@@ -290,6 +290,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
* the last one found one as a fallback.
*/
fwstr = kstrdup(edid_firmware, GFP_KERNEL);
+ if (!fwstr)
+ return ERR_PTR(-ENOMEM);
edidstr = fwstr;
while ((edidname = strsep(&edidstr, ","))) {
---
On Fri, 24 May 2019, Gen Zhang <[email protected]> wrote:
> In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
> is dereferenced in the following codes. However, memory allocation
> functions such as kstrdup() may fail and returns NULL. Dereferencing
> this null pointer may cause the kernel go wrong. Thus we should check
> this kstrdup() operation.
> Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
> the caller site.
>
> Signed-off-by: Gen Zhang <[email protected]>
> Reviewed-by: Jani Nikula <[email protected]>
Pushed to drm-misc-next, thanks for the patch.
BR,
Jani.
> ---
> diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
> index a491509..a0e107a 100644
> --- a/drivers/gpu/drm/drm_edid_load.c
> +++ b/drivers/gpu/drm/drm_edid_load.c
> @@ -290,6 +290,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
> * the last one found one as a fallback.
> */
> fwstr = kstrdup(edid_firmware, GFP_KERNEL);
> + if (!fwstr)
> + return ERR_PTR(-ENOMEM);
> edidstr = fwstr;
>
> while ((edidname = strsep(&edidstr, ","))) {
> ---
--
Jani Nikula, Intel Open Source Graphics Center
On 2019-05-22 17:55:35, Jani Nikula wrote:
> On Wed, 22 May 2019, Gen Zhang <[email protected]> wrote:
> > In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
> > is dereferenced in the following codes. However, memory allocation
> > functions such as kstrdup() may fail and returns NULL. Dereferencing
> > this null pointer may cause the kernel go wrong. Thus we should check
> > this kstrdup() operation.
> > Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
> > the caller site.
>
> strsep() handles the NULL pointer just fine, so there won't be a NULL
> dereference. However this patch seems like the right thing to do anyway.
I came across this thread while triaging CVE-2019-12382. I agree that
the code before was fine but more complex than necessary. There's no
real security impact here since a NULL pointer dereference was not
possible. I've requested that MITRE reject CVE-2019-12382.
This change is a nice improvement, though.
Tyler
>
> Reviewed-by: Jani Nikula <[email protected]>
>
> >
> > Signed-off-by: Gen Zhang <[email protected]>
> >
> > ---
> > diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c
> > index a491509..a0e107a 100644
> > --- a/drivers/gpu/drm/drm_edid_load.c
> > +++ b/drivers/gpu/drm/drm_edid_load.c
> > @@ -290,6 +290,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector)
> > * the last one found one as a fallback.
> > */
> > fwstr = kstrdup(edid_firmware, GFP_KERNEL);
> > + if (!fwstr)
> > + return ERR_PTR(-ENOMEM);
> > edidstr = fwstr;
> >
> > while ((edidname = strsep(&edidstr, ","))) {
> > ---
> > _______________________________________________
> > dri-devel mailing list
> > [email protected]
> > https://lists.freedesktop.org/mailman/listinfo/dri-devel
>
> --
> Jani Nikula, Intel Open Source Graphics Center