[PATCH] regmap: Fix possible ZERO_SIZE_PTR pointer dereferencing error.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] regmap: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
@ 2014-04-30  9:31 Xiubo Li
  2014-05-01  3:34 ` Mark Brown
  0 siblings, 1 reply; 6+ messages in thread
From: Xiubo Li @ 2014-04-30  9:31 UTC (permalink / raw)
  To: broonie; +Cc: linux-kernel, Xiubo Li

Since we cannot make sure the 'len = pair_size * num_regs' will always
be none zero from the users, and then if 'num_regs' equals to zero by
mistake or other reasons, the kzalloc() will return ZERO_SIZE_PTR, which
equals to ((void *)16).

So this patch fix this with just doing the 'len' zero check before calling
kzalloc().

Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
---
 drivers/base/regmap/regmap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 18d193f..4ef7a24 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -1685,6 +1685,9 @@ static int _regmap_raw_multi_reg_write(struct regmap *map,
 	size_t pair_size = reg_bytes + pad_bytes + val_bytes;
 	size_t len = pair_size * num_regs;
 
+	if (!len)
+		return -EINVAL;
+
 	buf = kzalloc(len, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
-- 
1.8.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] regmap: Fix possible ZERO_SIZE_PTR pointer dereferencing error.
  2014-04-30  9:31 [PATCH] regmap: Fix possible ZERO_SIZE_PTR pointer dereferencing error Xiubo Li
@ 2014-05-01  3:34 ` Mark Brown
  0 siblings, 0 replies; 6+ messages in thread
From: Mark Brown @ 2014-05-01  3:34 UTC (permalink / raw)
  To: Xiubo Li; +Cc: linux-kernel

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

On Wed, Apr 30, 2014 at 05:31:08PM +0800, Xiubo Li wrote:
> Since we cannot make sure the 'len = pair_size * num_regs' will always
> be none zero from the users, and then if 'num_regs' equals to zero by
> mistake or other reasons, the kzalloc() will return ZERO_SIZE_PTR, which
> equals to ((void *)16).

Applied, thanks.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.
  2014-09-28 10:56 ` Mark Brown
@ 2014-09-30  5:05   ` Li.Xiubo
  0 siblings, 0 replies; 6+ messages in thread
From: Li.Xiubo @ 2014-09-30  5:05 UTC (permalink / raw)
  To: Mark Brown; +Cc: gregkh, linux-kernel

Hi,

> 
> > diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
> > index 455a877..3d93e38 100644
> > --- a/drivers/base/regmap/regmap.c
> > +++ b/drivers/base/regmap/regmap.c
> > @@ -1716,6 +1716,9 @@ out:
> 
> Whatever you're using to generate the patches isn't annotating with the
> function being changed like git normally does which isn't great for
> working out what the best return value should be.

Yes, I will add more detail info about the return value in future of these
kind patches.

Thanks,

BRs
Xiubo


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.
  2014-09-28  9:09 [PATCH] regmap: fix " Xiubo Li
  2014-09-28  9:25 ` Li.Xiubo
@ 2014-09-28 10:56 ` Mark Brown
  2014-09-30  5:05   ` Li.Xiubo
  1 sibling, 1 reply; 6+ messages in thread
From: Mark Brown @ 2014-09-28 10:56 UTC (permalink / raw)
  To: Xiubo Li; +Cc: gregkh, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 677 bytes --]

On Sun, Sep 28, 2014 at 05:09:54PM +0800, Xiubo Li wrote:
> Since we cannot make sure the 'val_count' will always be none zero
> here, and then if it equals to zero, the kmemdup() will return
> ZERO_SIZE_PTR, which equals to ((void *)16).

Applied, thanks.  

> diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
> index 455a877..3d93e38 100644
> --- a/drivers/base/regmap/regmap.c
> +++ b/drivers/base/regmap/regmap.c
> @@ -1716,6 +1716,9 @@ out:

Whatever you're using to generate the patches isn't annotating with the
function being changed like git normally does which isn't great for
working out what the best return value should be.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.
  2014-09-28  9:09 [PATCH] regmap: fix " Xiubo Li
@ 2014-09-28  9:25 ` Li.Xiubo
  2014-09-28 10:56 ` Mark Brown
  1 sibling, 0 replies; 6+ messages in thread
From: Li.Xiubo @ 2014-09-28  9:25 UTC (permalink / raw)
  To: broonie; +Cc: gregkh, linux-kernel

Hi Mark,


> Subject: [PATCH] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing
> error.
> 
> Since we cannot make sure the 'val_count' will always be none zero
> here, and then if it equals to zero, the kmemdup() will return
> ZERO_SIZE_PTR, which equals to ((void *)16).
> 
> So this patch fix this with just doing the zero check before calling
> kmemdup().
> 
> Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
> ---
>  drivers/base/regmap/regmap.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
> index 455a877..3d93e38 100644
> --- a/drivers/base/regmap/regmap.c
> +++ b/drivers/base/regmap/regmap.c
> @@ -1716,6 +1716,9 @@ out:
>  	} else {
>  		void *wval;
> 
> +		if (!val_count)
> +			return -EINVAL;
> +

Should it return zero as success or just return -EINVAL for error here ?

If it allow zero of val_count in regmap_bulk_write(..., val_count) could do
Nothing and just return zero as success at the beginning of it.

I will respin this patch if return zero is better ...

Thanks,

BRs
Xiubo

>  		wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL);
>  		if (!wval) {
>  			dev_err(map->dev, "Error in memory allocation\n");
> --
> 2.1.0.27.g96db324


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error.
@ 2014-09-28  9:09 Xiubo Li
  2014-09-28  9:25 ` Li.Xiubo
  2014-09-28 10:56 ` Mark Brown
  0 siblings, 2 replies; 6+ messages in thread
From: Xiubo Li @ 2014-09-28  9:09 UTC (permalink / raw)
  To: broonie; +Cc: gregkh, linux-kernel, Xiubo Li

Since we cannot make sure the 'val_count' will always be none zero
here, and then if it equals to zero, the kmemdup() will return
ZERO_SIZE_PTR, which equals to ((void *)16).

So this patch fix this with just doing the zero check before calling
kmemdup().

Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
---
 drivers/base/regmap/regmap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 455a877..3d93e38 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -1716,6 +1716,9 @@ out:
 	} else {
 		void *wval;
 
+		if (!val_count)
+			return -EINVAL;
+
 		wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL);
 		if (!wval) {
 			dev_err(map->dev, "Error in memory allocation\n");
-- 
2.1.0.27.g96db324


^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-09-30  5:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-30  9:31 [PATCH] regmap: Fix possible ZERO_SIZE_PTR pointer dereferencing error Xiubo Li
2014-05-01  3:34 ` Mark Brown
2014-09-28  9:09 [PATCH] regmap: fix " Xiubo Li
2014-09-28  9:25 ` Li.Xiubo
2014-09-28 10:56 ` Mark Brown
2014-09-30  5:05   ` Li.Xiubo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.