2021-03-31 16:44:57

by Hassan Shahbazi

[permalink] [raw]
Subject: [PATCH] fix NULL pointer deference crash

The patch has fixed a NULL pointer deference crash in hiding the cursor. It
is verified by syzbot patch tester.

Reported by: syzbot
https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b

Signed-off-by: Hassan Shahbazi <[email protected]>
---
drivers/video/fbdev/core/fbcon.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 44a5cd2f54cc..ee252d1c43c6 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)

ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;

- ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
- get_color(vc, info, c, 0));
+ if (ops && ops->cursor)
+ ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
+ get_color(vc, info, c, 0));
}

static int scrollback_phys_max = 0;
--
2.26.3


2021-03-31 17:37:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] fix NULL pointer deference crash

On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> is verified by syzbot patch tester.
>
> Reported by: syzbot
> https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
>
> Signed-off-by: Hassan Shahbazi <[email protected]>
> ---
> drivers/video/fbdev/core/fbcon.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 44a5cd2f54cc..ee252d1c43c6 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
>
> ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
>
> - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> - get_color(vc, info, c, 0));
> + if (ops && ops->cursor)

As ops obviously is not NULL here (you just used it on the line above),
why are you checking it again?

And what makes curser be NULL here? How can that happen?

Also your subject line can use some work, please make it reflect the
driver subsystem you are looking at.

thanks,

greg k-h

2021-03-31 20:09:01

by Dan Carpenter

[permalink] [raw]
Subject: Re: [PATCH] fix NULL pointer deference crash

Hi Hassan,

url: https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>

New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)

Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]

vim +/ops +1336 drivers/video/fbdev/core/fbcon.c

^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1318 static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1319 {
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1320 struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1321 struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1322 int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1323
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 @1324 ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c Scot Doyle 2015-08-04 1325
d1e2306681ad3cb drivers/video/console/fbcon.c Michal Januszewski 2007-05-08 1326 if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1327 return;
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1328
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby 2020-06-15 1329 if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1330 fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c Thierry Reding 2015-05-21 1331 else
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1332 fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c Antonino A. Daplas 2007-07-17 1333
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1334 ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
^^^^^^^^^^^^^^^^^
Dereferenced

^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1335
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi 2021-03-31 @1336 if (ops && ops->cursor)
^^^
Checked too late

06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds 2020-09-08 1337 ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1338 get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c Linus Torvalds 2005-04-16 1339 }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]


Attachments:
(No filename) (3.64 kB)
.config.gz (44.30 kB)
Download all attachments

2021-04-01 06:23:59

by Hassan Shahbazi

[permalink] [raw]
Subject: Re: [PATCH] fix NULL pointer deference crash

On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> > is verified by syzbot patch tester.
> >
> > Reported by: syzbot
> > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> >
> > Signed-off-by: Hassan Shahbazi <[email protected]>
> > ---
> > drivers/video/fbdev/core/fbcon.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index 44a5cd2f54cc..ee252d1c43c6 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> >
> > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> >
> > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > - get_color(vc, info, c, 0));
> > + if (ops && ops->cursor)
>
> As ops obviously is not NULL here (you just used it on the line above),
> why are you checking it again?

Yes, that's right. I will remove that check and will submit a new patch.


> And what makes curser be NULL here? How can that happen?

Honestly, I don't know. I reproduced the crash on my local, followed the
stack trace, and then changed the line to avoid the crash. If you think this
patch is not the best solution, I can drop it and investigate more to find
the root cause.


> Also your subject line can use some work, please make it reflect the
> driver subsystem you are looking at.

This was a mistake, I did not intend to change the subject. I will ensure
the next patch reflects the subsystem.

> thanks,
>
> greg k-h

Best,
Hassan Shahbazi

2021-04-01 06:57:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] fix NULL pointer deference crash

On Thu, Apr 01, 2021 at 09:21:54AM +0300, Hassan Shahbazi wrote:
> On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> > On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > > The patch has fixed a NULL pointer deference crash in hiding the cursor. It
> > > is verified by syzbot patch tester.
> > >
> > > Reported by: syzbot
> > > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> > >
> > > Signed-off-by: Hassan Shahbazi <[email protected]>
> > > ---
> > > drivers/video/fbdev/core/fbcon.c | 5 +++--
> > > 1 file changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > > index 44a5cd2f54cc..ee252d1c43c6 100644
> > > --- a/drivers/video/fbdev/core/fbcon.c
> > > +++ b/drivers/video/fbdev/core/fbcon.c
> > > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> > >
> > > ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> > >
> > > - ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > > - get_color(vc, info, c, 0));
> > > + if (ops && ops->cursor)
> >
> > As ops obviously is not NULL here (you just used it on the line above),
> > why are you checking it again?
>
> Yes, that's right. I will remove that check and will submit a new patch.
>
>
> > And what makes curser be NULL here? How can that happen?
>
> Honestly, I don't know. I reproduced the crash on my local, followed the
> stack trace, and then changed the line to avoid the crash. If you think this
> patch is not the best solution, I can drop it and investigate more to find
> the root cause.

Finding the root cause would be good to do here, so that we can
potentially fix that if it is needed.

thanks,

greg k-h