Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9718209ybi;
        Wed, 24 Jul 2019 08:47:22 -0700 (PDT)
X-Google-Smtp-Source: APXvYqx7FaZvZTG7cgxw9MRWN38SaugGCAQc5QYu9Lohq16X6Xk/PzND0eRGX+kO3xTr1YkCX6Q/
X-Received: by 2002:a63:5b52:: with SMTP id l18mr82293936pgm.21.1563983241814;
        Wed, 24 Jul 2019 08:47:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1563983241; cv=none;
        d=google.com; s=arc-20160816;
        b=a2ReTOodvfO8BtjzOPIO/dVrhy7zh8TbHGFtGfdkurNQr+onKyeaTmr4FY+CkO/6tt
         HpgfG4BVLDuG6BIzKOHJLNhUHRN2DQ8W44YGc8MW78uEtSUiuvk0iTClJKMVzyZV0t4Z
         7GExBXclJYnqqOGolbcGcFap0H4Mb0SRFN+G77qgId13ov/cHuqBScNL0hN4yBbjIwoJ
         7kNoH7ENuKiIasG95O2GNYkbGuvkxE6S6kUSZPVCldP99Dt5XYY5ravLFmXEXHDZBI93
         iblYZZQ4zjQuhyyE0vqYGe+QB+ZdZBxeChdlqjGATQQkxbjoxaG/3XUl8+qWSY9lSk5O
         Vdng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=yOe9je3y3azuxEkbZtWAgzy/O8tv7xt/7UDFJgcMfj4=;
        b=ncjblbkUc1rDOJbAE5FV78K8wzcJyEO+odkuLFcMsLHE3+x1whVSA8i6BcpmDCELo7
         GuSoHNAPp/wVdrp9CznV/IcD7u0rMtETFB3rnkiwAaa3qNqhC7Ldvlhsn/VtLoJSP8Uh
         nBHpH9wsYgnPSUnmrI3FmUPaZeTSV5HYg0Cee4w0uG4bj40mxyYvUeFbJcn3DnkcWoAM
         mh8mC5gjK2c0220jQO+v0ckkUpKdzTbhQfJ0uO1M3tJEDmCvXghbmmvvTSvVyjaEF4aD
         8z5Avda7s7EGffRCMTJlH3oFJxmEGYSCj5FDv4sO70IrYa3NXalg96+WD3MX8qv7EB5B
         Ek5g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=s8XDVAag;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g21si14702489plo.235.2019.07.24.08.47.07;
        Wed, 24 Jul 2019 08:47:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=s8XDVAag;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727908AbfGXMNg (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 24 Jul 2019 08:13:36 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:45947 "EHLO
        mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726578AbfGXMNg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Jul 2019 08:13:36 -0400
Received: by mail-pf1-f193.google.com with SMTP id r1so20858195pfq.12
        for <linux-kernel@vger.kernel.org>; Wed, 24 Jul 2019 05:13:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=yOe9je3y3azuxEkbZtWAgzy/O8tv7xt/7UDFJgcMfj4=;
        b=s8XDVAagfffx5f9BWX1AzPwmmHmm5GOZ3QuKYZ4yMZ69IcT4jkecK2Bg8Yy/vpcKC+
         dthic2I4LPTJcLT4z0STllQckoVS7Fw4OyKGPqxUtz3vexpptdyxut782KbjsCJQco7w
         BoC8SjYltzNvBjuQjU1TTYTgOy5t/dwdTcMPW/AEvuGJ19zZdBs/ctzvexJ8E49ckblB
         OQRe/jbhe/tMsiDL5ZirfuNh0b6HqCQvls6OEVnYFFB9N4WT7Rw9hd93wmj3ld1pU6bW
         57jEMd9adYRQJ6uVhCrAG07o4wwok59qaNSYx4VnSwbvmdAT3lEzYRTvss0db4JLOrhe
         QITQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=yOe9je3y3azuxEkbZtWAgzy/O8tv7xt/7UDFJgcMfj4=;
        b=QFUb6sHJBf3wcIptW4MXDImJiivxlr09/A9395znfWXvGjS24oIVALPLgRTuCjXJMo
         eCdfR5dfXnCZ9YYGNU4gw8KQkzZwQdwb5K8wkJkAF9DweUxHd5fZ+aM4P6TFQwy9DuhW
         79bsVMKO48WwAJy7FmnamdTc7xdH5ZagSyB+RDa5jnhMKEqHyJwcN4AfH6u89gPwzG10
         sLs6W1fEAY1XDZrkcEjg8HZ0RsR3FqPMBubL37NvVhwUIDqgXdEzNEBZIY2jqNsy+EkO
         Ia/G1nb0McVyp+O48OnBQsYX/bt4WLNdZpNv0EK3FEZW+G0fv/FjYm6zPi0oqlF0Lnzp
         qK3w==
X-Gm-Message-State: APjAAAUocgIBY+r+ios634RoiVtJhZgzEABGbfb3nlWtK0v+W+v0WikS
        ose5N1jVQeH8rBzg+lJwIQ4=
X-Received: by 2002:a63:1749:: with SMTP id 9mr28651971pgx.0.1563970415766;
        Wed, 24 Jul 2019 05:13:35 -0700 (PDT)
Received: from oslab.tsinghua.edu.cn ([2402:f000:4:72:808::3ca])
        by smtp.gmail.com with ESMTPSA id g66sm47009665pfb.44.2019.07.24.05.13.32
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 24 Jul 2019 05:13:35 -0700 (PDT)
From:   Jia-Ju Bai <baijiaju1990@gmail.com>
To:     perex@perex.cz, tiwai@suse.com, bhelgaas@google.com,
        tglx@linutronix.de, rfontana@redhat.com,
        gregkh@linuxfoundation.org, kirr@nexedi.com
Cc:     alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
        Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] ALSA: core: Fix possible null-pointer dereferences in snd_timer_proc_read()
Date:   Wed, 24 Jul 2019 20:13:27 +0800
Message-Id: <20190724121327.9894-1-baijiaju1990@gmail.com>
X-Mailer: git-send-email 2.17.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In snd_timer_proc_read(), there is an if statement on line 1204 to check
whether timer->card is NULL:
    if (timer->card && timer->card->shutdown)

When timer->card is NULL, it is used on lines 1212 and 1215:
    timer->card->number

Thus, possible null-pointer dereferences may occur.

To fix these bugs, timer->card is checked before being used.

These bugs are found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 sound/core/timer.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 5c9fbf3f4340..967d06a3cdec 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1208,11 +1208,13 @@ static void snd_timer_proc_read(struct snd_info_entry *entry,
 			snd_iprintf(buffer, "G%i: ", timer->tmr_device);
 			break;
 		case SNDRV_TIMER_CLASS_CARD:
-			snd_iprintf(buffer, "C%i-%i: ",
-				    timer->card->number, timer->tmr_device);
+			snd_iprintf(buffer, "C%i-%i: ", 
+					timer->card ? timer->card->number : -1, 
+					timer->tmr_device);
 			break;
 		case SNDRV_TIMER_CLASS_PCM:
-			snd_iprintf(buffer, "P%i-%i-%i: ", timer->card->number,
+			snd_iprintf(buffer, "P%i-%i-%i: ",
+					timer->card ? timer->card->number : -1,
 				    timer->tmr_device, timer->tmr_subdevice);
 			break;
 		default:
-- 
2.17.0