Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3535302pxb; Mon, 24 Jan 2022 11:38:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJwtci1/KsfvhF8DH6KJrc+9eFSLWVkgw8TdhF9erSnC9mNVXyi2UphJeMd9brHZ2x7K+RMJ X-Received: by 2002:a17:90b:1e42:: with SMTP id pi2mr3419018pjb.2.1643053107273; Mon, 24 Jan 2022 11:38:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053107; cv=none; d=google.com; s=arc-20160816; b=EoN/TepOoEQdmt9fGB0utclJ/iO4h0AQNqAR+RmToQlQ9RAYM4EEggbyKlxdPrfltT K9H2YsVV/76vtJK9s8uy0ba2D27yOCPz30aiFc5s1UovBocptcrj26mkXEs/JbHdar78 /PtVs7UDH9rXmsTpahJ8QlUD8frzlTTIh6JzlEqBj63xuy5rSH99RhrtaLZ5GXBeRSEZ lPwwxq9gikpeUj4b842UyeU2n+G5OywYhJyio/RMEnGkVE7QodGmA8hzja8kR2fpWs+t 2hh/PMawhfob5kt41GJSsdry/EhjL/b9CYxCnBv7t84B8GkTO4baxUgQumRYQdEv3UFM vdWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=iqOvQckE4DPpe/gz80hlCWLF/acf9yFaFDsgsRhtXZY=; b=UrQrVxTzm6P24W8VWdX3nBJmn3rfYIBvQOaGcBDlKVHw44T/R2vHBxh91wITZK+Gqg F8lM03UI3LGbHQgkHjUngzMisvo71IbjzRjqcRq0MK6QPwX+7NfgB+GAxNEcx8dLAUzq hGVMfYI6cFZhvYFykzGbxMqh5zFiyqdpRfSdLjHoCJeiuT6HVVU6uLzNWJFy3LYQs4FN Qc+TzJaTTmIWjIE8pxh/q85FNgamce9Hg2xvLSg6BceZBf3LsVH3wv1xrBThj/hXqBI1 VgZIf3yPuRfXaslHOCqcgudF1KXHyKWlDFxvh5sjgK5CIBUvm/8F+wrywiO9yPi1flGJ cnng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=czZ1znNC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r21si12426875pla.499.2022.01.24.11.38.09; Mon, 24 Jan 2022 11:38:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=czZ1znNC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241348AbiAXRFa (ORCPT + 99 others); Mon, 24 Jan 2022 12:05:30 -0500 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:33460 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244138AbiAXRFW (ORCPT ); Mon, 24 Jan 2022 12:05:22 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4JjGZT4vC3z9vjCJ for ; Mon, 24 Jan 2022 17:05:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwcWM2FjLjYF for ; Mon, 24 Jan 2022 11:05:21 -0600 (CST) Received: from mail-pj1-f71.google.com (mail-pj1-f71.google.com [209.85.216.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4JjGZT2m6bz9vjC7 for ; Mon, 24 Jan 2022 11:05:21 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4JjGZT2m6bz9vjC7 DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4JjGZT2m6bz9vjC7 Received: by mail-pj1-f71.google.com with SMTP id q8-20020a17090a064800b001b4ee55e378so241744pje.2 for ; Mon, 24 Jan 2022 09:05:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=iqOvQckE4DPpe/gz80hlCWLF/acf9yFaFDsgsRhtXZY=; b=czZ1znNCyFZoXGfMGTRQpY2QtLcSB0nqHP6Qv2BEwEtBbrFdR3EEjPAtvBBJ2rdKp1 HCWt/yP1Uz6TUK5+DCAUbmhjfwwbeygHk6e1pINjALHkZiuZ7X3fGXVzC4ja/Uffy3Pm m3cGceoUfMcKY5gFjN5U3aHa31r5FJ53R4SduFG1taFo7vp7W57sSSyOhRD9HcDYl8P2 ZwMydl4q3y05ziPmP1wV9YGvHMUEqf1628SaqjuAKegh5garAkZUc09Rx9cpSH9F1jUy kL7fgZO90+bdz4fB3nk2e0LepQwdWwOwh021tQT+3AZp5oVuMyKjQ+YYzz9guxDVk9eE G+0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=iqOvQckE4DPpe/gz80hlCWLF/acf9yFaFDsgsRhtXZY=; b=1EqLNONOdEJIOKprxZrrN9qe+mwT7Ykfsd4+OVHneF9bCXOIHTfNsx369nvw5zZeFn fEET37vT6o6MN1gbe0aHeUarq1UDnip+Q0JVdpUfCsC99hOql71CPSo4JxiNfItD6oyh +1L8h8QBFszWoeD8rQASljIq9yEAm1J/lBke46T4GjnFpM3pjqvTVa7EER998pmZHxVS jEC5FCyaXFXGShF4rNlmbY9xPASLSsQxWM9CbkW0EKaJloMax9rzbxvAVCMczknGQGUH 5D4ofbi6iuqPCO8XeQyU6aul0SfPDsPvD/KfbkssClZc1tv/GTCehueg6Ii/juf4O3tt bh5Q== X-Gm-Message-State: AOAM533dVacFT3khi0u3F2WK7sIjQk+MjpGmApgjvENCvZ7o/B0hszHB xQSN4HjTg2FO0qM6/mJSPgI3L+xBpA7OudIaQRpe7hge+5gYqKeEpCqdwNmks18V5nUpnfhOjhK GNMO4rV0tl0CWZCPsbt1xyfO7UTzw X-Received: by 2002:a17:902:f243:b0:14b:1f32:e923 with SMTP id j3-20020a170902f24300b0014b1f32e923mr9628337plc.121.1643043920605; Mon, 24 Jan 2022 09:05:20 -0800 (PST) X-Received: by 2002:a17:902:f243:b0:14b:1f32:e923 with SMTP id j3-20020a170902f24300b0014b1f32e923mr9628306plc.121.1643043920288; Mon, 24 Jan 2022 09:05:20 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id s2sm2882596pgq.38.2022.01.24.09.05.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 09:05:20 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Mauro Carvalho Chehab , Zhen Lei , Arnd Bergmann , Hans Verkuil , Michael Schimek , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: bttv: Fix a NULL pointer dereference in setup_window_lock() Date: Tue, 25 Jan 2022 01:05:13 +0800 Message-Id: <20220124170515.58519-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In setup_window_lock(), the return value of videobuf_sg_alloc() is assigned to variable new and there is a dereference of it after that. the return value of videobuf_sg_alloc() could be NULL on failure of allocation, which could lead to a NULL pointer dereference. Fix this bug by adding a NULL check of new. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: e5bd0260e7d3 ("V4L/DVB (5077): Bttv cropping support") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/media/pci/bt8xx/bttv-driver.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c index 8cc9bec43688..6338f98d845d 100644 --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -2182,6 +2182,8 @@ static int setup_window_lock(struct bttv_fh *fh, struct bttv *btv, struct bttv_buffer *new; new = videobuf_sg_alloc(sizeof(*new)); + if (!new) + return -ENOMEM; new->crop = btv->crop[!!fh->do_crop].rect; bttv_overlay_risc(btv, &fh->ov, fh->ovfmt, new); retval = bttv_switch_overlay(btv,fh,new); -- 2.25.1