Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3535422pxb; Mon, 24 Jan 2022 11:38:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJz96b0FlF35hwCr9rP9c2wwYzktVRop/ie4Rvo8OInP0t0FlSCWVsoqbPtfHiC6351oYrQi X-Received: by 2002:a63:f610:: with SMTP id m16mr12995679pgh.69.1643053116879; Mon, 24 Jan 2022 11:38:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053116; cv=none; d=google.com; s=arc-20160816; b=a6l6O8G4oZG/VbAnZobRLMnOPBKPCs/u6MGlb/6yt8bLbvLO0lZRV37cogLX4xbV6i zFIZFXYcWbGVlpGAx6o3wjYLPS7+gGXrhDzdG+Yon3USbszdDrWmkg/DNB7XlYMEaxjW ty48XKPhEsHfn8jYDegjjttqQTlFPpCiV+/3cHDAPnIMJeyo2FzHKLJqwD9FWsyvfdFU je6mQm6CJN8h1OJIRZYp7L/AaqaARX2MOGsJCmHJVVF5UuE5q4U3b+AL6MHaxTQYQxbb PHRx+LX5BiXuVf7FSpycZQb03i980kbTsoSjrPuhdQXZbSESy3YmRk5A4sC1qOOOcB4B krUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=FazSFMA+aZ9XoPqirxdQTRfh3CfesxK/5V0htIJuY88=; b=H96IpNYCOa+tHHMKz+4ox4nQMknqvBujvgrVofek/ge1MN+Tn2HbtTNF1LSGUEmUpx 9BZ7TN09X8ROr16fHJDGn5BPmp7WutwLJwRrsW5H846flEjzQjXoe1mYYP0+MQQ/0cWi 3lEFguLhiUTD9Dmr+f5np51mqXX5nwim1RIqGHhy3udEGPbH0feQ7kMFX3OXnqxjw4GF rPmZnRFKuxMTTMrbcOTuEyFAZjZ8kjq8A6JJopRBYdypY+UlyPkYsz5vZdZpa91YMflD 2GpXMsqN1379bjrfIHVQDe0/nbUg/ttDvYlLtf438UxK/l/2hcplXFXCttjxezMVHDXF o9+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=PaWfKa1k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k22si13767990pfc.49.2022.01.24.11.38.22; Mon, 24 Jan 2022 11:38:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=PaWfKa1k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244074AbiAXREW (ORCPT + 99 others); Mon, 24 Jan 2022 12:04:22 -0500 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:55534 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243962AbiAXREU (ORCPT ); Mon, 24 Jan 2022 12:04:20 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4JjGYG6q15z9vY6r for ; Mon, 24 Jan 2022 17:04:18 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7FHHO1vlg44 for ; Mon, 24 Jan 2022 11:04:18 -0600 (CST) Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4JjGYG4mpVz9vY6m for ; Mon, 24 Jan 2022 11:04:18 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4JjGYG4mpVz9vY6m DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4JjGYG4mpVz9vY6m Received: by mail-pg1-f199.google.com with SMTP id s5-20020a635245000000b0034ea48b7094so4575376pgl.12 for ; Mon, 24 Jan 2022 09:04:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FazSFMA+aZ9XoPqirxdQTRfh3CfesxK/5V0htIJuY88=; b=PaWfKa1kKN2Zof2lfwbFJNDiHyqysB22EEnId9NaRlB/MV9/MtE+ezuNu9UyLZhJue /iaiiqYVttjLceS5I7CQtz6z7dNPpfkFqKof/GWZnMhOpgb74L06Dusu+lfOAu3gW8td /uXwRlFQ8hJkujrg8/1fsE2avXJgPCPlI5lDS7G4zjVeDfq14gTJ9wHtBGkypE/WYFvq 184zXbzKNFXzvicSjZcP1kqeIhoF6v+6ERwi3Mmrcd5drW+aLqXR1xEFLAEgaKVfScg9 cFo2jjjbpD5FID1+JIfNzvntGnp8PZEK06wM9ImCb7BXCdza/KjBTZ4t8SIipDmVNmn5 /J+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FazSFMA+aZ9XoPqirxdQTRfh3CfesxK/5V0htIJuY88=; b=BWWHvBslIvdbCXKT6z5onbOeTKkI2SWdqHnvDD4pr2hVcAqC4Zaf54kwrlGFn8/qpu DIvRXkKms/Sp5sO5wxEzxC14wO+cB9Zch0yUjeHZx1Sh/hr8r8O9nUczOm3HSCIWdSS9 JDw1V7NbfcFTYaBUXxLOeGnMngIlh6TLvyMcd9b9hmYNotZni179rPXFFM6iU03BCkLa 4bEACHaRpyrMdQCCa71+IeC+TlBJo2zI0o59TwNOkSTFNad8mc2aK31LDvZhuAeMP1TZ BwcAYDg9KA7LmOJ+MWDkpif/UDaaRkx8Dz0qhlSi47qZUKjybrcIb3+zBbdl5LUj9v44 MvUQ== X-Gm-Message-State: AOAM531a8kci4b+Zi5g6U9wOUhGf0urg1vMUye91lhQ5HUcy5b+c2OaL Q/97ZoJVI4VVbnNWUEIK3r8QgP50YtTdNrzcVD/zDjz6EOUWyKMuMc0ZQ0nddOreqbmSLGfmbRk vu/WxjreI3izMxr8Swx/pKNH+WI6x X-Received: by 2002:a17:90a:77c8:: with SMTP id e8mr2786747pjs.111.1643043857703; Mon, 24 Jan 2022 09:04:17 -0800 (PST) X-Received: by 2002:a17:90a:77c8:: with SMTP id e8mr2786724pjs.111.1643043857463; Mon, 24 Jan 2022 09:04:17 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id 25sm20665228pje.22.2022.01.24.09.04.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 09:04:17 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Mauro Carvalho Chehab , Zhen Lei , Laurent Pinchart , Arnd Bergmann , Douglas Schilling Landgraf , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: bttv: Fix a NULL pointer dereference in bttv_s_fbuf() Date: Tue, 25 Jan 2022 01:04:09 +0800 Message-Id: <20220124170411.58169-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In bttv_s_fbuf(), the return value of videobuf_sg_alloc() is assigned to variable new and there is a dereference of it after that. the return value of videobuf_sg_alloc() could be NULL on failure of allocation, which could lead to a NULL pointer dereference. Fix this bug by adding a NULL check of new. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code Fixes: 402aa76aa5e5 ("V4L/DVB (6911): Converted bttv to use video_ioctl2") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/media/pci/bt8xx/bttv-driver.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c index 5aa46593ddc6..c0664cffb881 100644 --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -2627,6 +2627,8 @@ static int bttv_s_fbuf(struct file *file, void *f, struct bttv_buffer *new; new = videobuf_sg_alloc(sizeof(*new)); + if (!new) + return -ENOMEM; new->crop = btv->crop[!!fh->do_crop].rect; bttv_overlay_risc(btv, &fh->ov, fh->ovfmt, new); retval = bttv_switch_overlay(btv, fh, new); -- 2.25.1