Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18B9FC433EF for ; Fri, 3 Dec 2021 15:40:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381874AbhLCPoC (ORCPT ); Fri, 3 Dec 2021 10:44:02 -0500 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:33886 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1381866AbhLCPoB (ORCPT ); Fri, 3 Dec 2021 10:44:01 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4J5H8j0wFvz9vFPj for ; Fri, 3 Dec 2021 15:40:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giWjevagt_I1 for ; Fri, 3 Dec 2021 09:40:37 -0600 (CST) Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4J5H8h5vtQz9vFPR for ; Fri, 3 Dec 2021 09:40:36 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4J5H8h5vtQz9vFPR DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4J5H8h5vtQz9vFPR Received: by mail-pj1-f72.google.com with SMTP id x6-20020a17090a6c0600b001a724a5696cso1971124pjj.6 for ; Fri, 03 Dec 2021 07:40:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5HmoGm3B37yc5c/4jRkC+dyUrsobVh+SO553GCD8ogk=; b=cUeCP18DKup7EVwIWPfs0pvEzFnFk/40mKGy6/tzK+KdEQpc4T/S9071Fj9YwGgkpB 2Gypk6OEB6gbX7uPUoiwy4ibicNO6Figl00HMDo7SeqruIT5WXO1+hkDSDu3OU277M6i Ek4k5VBLKf2qsx68xLtEwK9oR0iNr1PvjHfQbaiVmmM0qn9nyCBc1qLdt8qO0Cd9RIE+ oUj4y+vBZ7GchTbo/v4JVQdiyYgxP5Cj2gbbiVvjXagdWpwfuTGEBPUgIlOrEKIs+Yf1 rI77UZ8XWNGa+IEXvLrtX4HNQetrSFG4Vxg/2YY/g2SNzSFkGWfdlnC9Vqsr02okkIQf CxwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5HmoGm3B37yc5c/4jRkC+dyUrsobVh+SO553GCD8ogk=; b=RvUMBPWHqI1h6IZCLv2VFjPR93lv1fGt4ifE8m8/4BYiqjVBfe4uKpMhH6yoJhh4CK YDB1VdaCHyyanEB3hk7zUl2vAN0h+VUjvMX/i0d9tfQeTvZICW3juN3C3xzaVkfA/i9w xDYD0JDdIF1PwZjDaJNP2s+mfPlha1tZv+QF8AzV2+Ax3dEYokzgtTbkahUGfTVsdmnQ LiYUMWLB0SOE327b0W0JWUMm0CtKho6HrYJOmDa0B4q89HFZ7aHFp8Fofnb8d1ngO4FN W1lfDC82N+QF0SZWjBHcyZ5jsp5qhjM/NfVffO1xnVtUc4fRo7nQgZ5Tnk7Q91gVwRBG Nk/A== X-Gm-Message-State: AOAM532sedh3AaNYQv71QxRXmYaDcC+wmjNU6kwlomD3MLGC1lt2wVFo RGkIP/jx8d+CwdqU1mvHn4x1EeIOrzsM6xJ3TYsPbrO25dic/fMFinXXUiT1w161/XKTVj1uWRL hDhp5Xx118GdYm7Ddlp4C0MG1t1i2 X-Received: by 2002:a63:f749:: with SMTP id f9mr5037539pgk.330.1638546035793; Fri, 03 Dec 2021 07:40:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJxac8HUOI/hkFzM/XqRZamlRCLYfN29hXMP4kgRSTrAf0JXX2AAhbP2YGlsNF+RrF10pglLVA== X-Received: by 2002:a63:f749:: with SMTP id f9mr5037511pgk.330.1638546035355; Fri, 03 Dec 2021 07:40:35 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.93.212]) by smtp.gmail.com with ESMTPSA id i1sm2912410pgs.50.2021.12.03.07.40.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Dec 2021 07:40:35 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Hans Verkuil , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Date: Fri, 3 Dec 2021 23:40:30 +0800 Message-Id: <20211203154030.111210-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In hexium_attach(dev, info), saa7146_vv_init() is called to allocate a new memory for dev->vv_data. saa7146_vv_release() will be called on failure of saa7146_register_device(). There is a dereference of dev->vv_data in saa7146_vv_release(), which could lead to a NULL pointer dereference on failure of saa7146_vv_init(). Fix this bug by adding a check of saa7146_vv_init(). This bug was found by a static analyzer. The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings, and our static analyzer no longer warns about this code. Signed-off-by: Zhou Qingyang --- Changes in v2: - Add i2c_del_adapter in hexium_attach() - Change 'return -1' to 'return -ENOMEM' in saa7146_vv_init drivers/media/common/saa7146/saa7146_fops.c | 2 +- drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c index baf5772c52a9..be3215977714 100644 --- a/drivers/media/common/saa7146/saa7146_fops.c +++ b/drivers/media/common/saa7146/saa7146_fops.c @@ -521,7 +521,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv) ERR("out of memory. aborting.\n"); kfree(vv); v4l2_ctrl_handler_free(hdl); - return -1; + return -ENOMEM; } saa7146_video_uops.init(dev,vv); diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c index 2214c74bbbf1..3947701cd6c7 100644 --- a/drivers/media/pci/saa7146/hexium_gemini.c +++ b/drivers/media/pci/saa7146/hexium_gemini.c @@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d hexium_set_input(hexium, 0); hexium->cur_input = 0; - saa7146_vv_init(dev, &vv_data); + ret = saa7146_vv_init(dev, &vv_data); + if (ret) { + i2c_del_adapter(&hexium->i2c_adapter); + kfree(hexium); + return ret; + } vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; vv_data.vid_ops.vidioc_g_input = vidioc_g_input; -- 2.25.1