Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3537145pxb; Mon, 24 Jan 2022 11:41:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOm5o00deRjl0ZubxTG2pegg9BrS3ygFGlx2Y3EZ/Ki3t2tWNMEGXhX0cWUaRxOfbFY7+s X-Received: by 2002:a17:90b:3546:: with SMTP id lt6mr3420496pjb.68.1643053269446; Mon, 24 Jan 2022 11:41:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053269; cv=none; d=google.com; s=arc-20160816; b=WoywHT66EFOivnrrQZNJRR0XGdzDeQilkt2FIur/NXL3EFb7Y32YzzIWCyp1F1GDfP Jxs5HUNtCKNTUGGmhYmtTFVy/OWmlkCQ2YcYUNxnvYsEFwkbYZanbkt9QZ3PIZi8SZtC T9k0zc2Tr28oXZGfN+niB9L6r/pOwNrN16U8D5vnJNOFJNNJhU38jURQoBbpe2rtRQPq Xthx+Jk1b8gQz5YgYZY67bK5j9cTRDtvu6TV8Sn0nJLF65V8EP7rbuCUrKcmrvAA6cLd bk4oVZKu0MNu2pJFq0/pOvH0SNV8p8Cg9MXPkjjC+wjxkOXY/w+aS07vQoYl1ojJIxum AydA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=N3N6wJzEY0KplvljaHwRHG8hIgjKSfmZz4U+e3o8/n4=; b=UKCZJ0bMrZNhWHf3bclX9cHgJ/szoYGZcLYUdSFvNEL4YOrUAzc1lb1EnCSMQgVYFe 8zuTZQoEJFTZgK2dmq740LdE9S3oY5/S6AHSvF3kb+sYD6uHRSIIBuDlspqmsFnROpC+ 4/S9Tqd2UjQ6jczDEcW3Vc8R6pGcbCXkywfDoR8wN3Pf+iE5GjBxT/E8jFBzSlAt/4X4 E/znoRfgLy7uoDSdFtrsJBdgq2ohyU5Hj3PbROnic43B/MpiwSwRgGWAf8/YEaPIZO+V RmhwC1NA9DHrUmrNtgIjKgB9/OrgAPdD+6LfJi+B265tzyC0BUOlEZHwuaxgUaCHGWbd uNPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=kKgtzRoG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z12si15851436pgu.689.2022.01.24.11.40.57; Mon, 24 Jan 2022 11:41:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=kKgtzRoG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244267AbiAXRTk (ORCPT + 99 others); Mon, 24 Jan 2022 12:19:40 -0500 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:60758 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241556AbiAXRTj (ORCPT ); Mon, 24 Jan 2022 12:19:39 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 4JjGty58rnz9vC9D for ; Mon, 24 Jan 2022 17:19:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wcjm_Vq0nlA for ; Mon, 24 Jan 2022 11:19:38 -0600 (CST) Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com [209.85.210.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 4JjGty345pz9vC8v for ; Mon, 24 Jan 2022 11:19:38 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p6.oit.umn.edu 4JjGty345pz9vC8v DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p6.oit.umn.edu 4JjGty345pz9vC8v Received: by mail-pf1-f200.google.com with SMTP id y15-20020a056a001c8f00b004c8fad8f162so1816309pfw.14 for ; Mon, 24 Jan 2022 09:19:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N3N6wJzEY0KplvljaHwRHG8hIgjKSfmZz4U+e3o8/n4=; b=kKgtzRoGQXzwgA6FcvxruW7ZL5r1jYaSsrGQeDWqMyjTOcKY2YTMvWotzDugTbVPCL 1rbbjgBabA9JJi7REFGlLi4WS0EynAZLgCmsfjww+3oxjSsrhkJkRfKCGxUOd4GWjY00 dB9ciyd86LzmS+ELkBLhxAqQ4ApQvUXp17GYFwzATQoSENdM3FAxMTfE71z2xc1ikvvC DoDtTcvkBzUqTJBGcKgic4pVVculsdEVmnYJRALs0jlhwHVZT9fl+CMzW0ZDSnSfiF8V oOJlBEYIKlP1PLrm1sSVODqZGv82g3OH8Jnd55uvUsAeTqfcPLjiKQJ2y5FzcLdn29SF iYWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N3N6wJzEY0KplvljaHwRHG8hIgjKSfmZz4U+e3o8/n4=; b=mBhzLptFwy4JdlSyc+vYBgDYdOzT5vAFNH9hL0mXx7qzaJTKUehVFzS40On4EklDvB zqBwmvILNt5NIDY5pj4aaIq5kprK+J+nwf8Op0qYeABFggiBnMJb9Jbfj27i2rmPd6OJ cM9qNvra+MdbtYiuu4uptxM61O4dJc+W9Ermk2BAyz3ZdMvK4dK7WrBS4H24hwoVQ/la UvjQnAVKs22K5vhT2cWqyckh3RqrBZD6XhA2JQTwUcvDConBP/EUbWwjONuXF9W/ME20 3xi8gsuu9neYPk6xm6saOBBf0ly9x1MNhgyL7Lpmwtn/4+mGnsN/tTyh/YPacWAiVqmZ ntww== X-Gm-Message-State: AOAM533MQrJWVvj4S87Hi5Y6BK7VZn1fHbc5xrKN8vrZoB5JsjHR8Q50 ZWD/ppENcyRtkPfWJbcyBsYZo9WMxWt5uZJGTiQWTnPAUsmOKX7nUA/ZyfJK2sT9qcVV6NG+aRd 0Rz4sF59oFo+0RQm1QFuxghv+rh1c X-Received: by 2002:a63:41c6:: with SMTP id o189mr4269709pga.613.1643044777749; Mon, 24 Jan 2022 09:19:37 -0800 (PST) X-Received: by 2002:a63:41c6:: with SMTP id o189mr4269697pga.613.1643044777539; Mon, 24 Jan 2022 09:19:37 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id nv13sm7703946pjb.17.2022.01.24.09.19.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 09:19:37 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Mauro Carvalho Chehab , Hans Verkuil , Tasos Sahanidis , Yang Yingliang , Christophe JAILLET , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: saa7134: Fix a NULL pointer dereference in saa7134_initdev() Date: Tue, 25 Jan 2022 01:19:30 +0800 Message-Id: <20220124171931.62174-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In saa7134_initdev(), the return value of vdev_init() is assigned to dev->video_dev and there is a dereference of it after that. The return value of vdev_init() will be NULL on the failure allocation, which could lead to NULL pointer dereference. The same as dev->vbi_dev. Fix this bug by adding a NULL check of dev->video_dev and dev->vbi_dev. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: a9622391acb ("V4L/DVB (6792): Fix VBI support") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/media/pci/saa7134/saa7134-core.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/media/pci/saa7134/saa7134-core.c b/drivers/media/pci/saa7134/saa7134-core.c index 96328b0af164..0de0b00540b6 100644 --- a/drivers/media/pci/saa7134/saa7134-core.c +++ b/drivers/media/pci/saa7134/saa7134-core.c @@ -1202,6 +1202,11 @@ static int saa7134_initdev(struct pci_dev *pci_dev, pr_info("%s: Overlay support disabled.\n", dev->name); dev->video_dev = vdev_init(dev,&saa7134_video_template,"video"); + if (!dev->video_dev) { + err = -ENOMEM; + goto err_unregister_video; + } + dev->video_dev->ctrl_handler = &dev->ctrl_handler; dev->video_dev->lock = &dev->lock; dev->video_dev->queue = &dev->video_vbq; @@ -1224,6 +1229,11 @@ static int saa7134_initdev(struct pci_dev *pci_dev, dev->name, video_device_node_name(dev->video_dev)); dev->vbi_dev = vdev_init(dev, &saa7134_video_template, "vbi"); + if (!dev->vbi_dev) { + err = -ENOMEM; + goto err_unregister_video; + } + dev->vbi_dev->ctrl_handler = &dev->ctrl_handler; dev->vbi_dev->lock = &dev->lock; dev->vbi_dev->queue = &dev->vbi_vbq; -- 2.25.1