[PATCH] drm: simpledrm: fix a potential NULL dereference

[PATCH] drm: simpledrm: fix a potential NULL dereference

[Dan Carpenter]

The drm_format_info() function returns NULL if the format is
unsupported, but the simplefb_get_validated_format() is expected to
return error pointers.  If we propagate teh NULL return then it will
lead to a NULL dereference in the callers.  Swap the NULL and trade it
in for an ERR_PTR(-EINVAL).

Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/gpu/drm/tiny/simpledrm.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c
index f72ca3a1c2d4..4f605c5fe856 100644
--- a/drivers/gpu/drm/tiny/simpledrm.c
+++ b/drivers/gpu/drm/tiny/simpledrm.c
@@ -72,6 +72,7 @@ simplefb_get_validated_format(struct drm_device *dev, const char *format_name)
 	static const struct simplefb_format formats[] = SIMPLEFB_FORMATS;
 	const struct simplefb_format *fmt = formats;
 	const struct simplefb_format *end = fmt + ARRAY_SIZE(formats);
+	const struct drm_format_info *info;
 
 	if (!format_name) {
 		drm_err(dev, "simplefb: missing framebuffer format\n");
@@ -79,8 +80,12 @@ simplefb_get_validated_format(struct drm_device *dev, const char *format_name)
 	}
 
 	while (fmt < end) {
-		if (!strcmp(format_name, fmt->name))
-			return drm_format_info(fmt->fourcc);
+		if (!strcmp(format_name, fmt->name)) {
+			info = drm_format_info(fmt->fourcc);
+			if (!info)
+				return ERR_PTR(-EINVAL);
+			return info;
+		}
 		++fmt;
 	}
 
-- 
2.30.2

Re: [PATCH] drm: simpledrm: fix a potential NULL dereference

[Thomas Zimmermann]

[-- Attachment #1.1: Type: text/plain, Size: 1941 bytes --]



Am 15.05.21 um 11:53 schrieb Dan Carpenter:
> The drm_format_info() function returns NULL if the format is
> unsupported, but the simplefb_get_validated_format() is expected to
> return error pointers.  If we propagate teh NULL return then it will
> lead to a NULL dereference in the callers.  Swap the NULL and trade it
> in for an ERR_PTR(-EINVAL).

Thank you. I've added the patch to drm-misc-next.

Best regards
Thomas

> 
> Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>   drivers/gpu/drm/tiny/simpledrm.c | 9 +++++++--
>   1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c
> index f72ca3a1c2d4..4f605c5fe856 100644
> --- a/drivers/gpu/drm/tiny/simpledrm.c
> +++ b/drivers/gpu/drm/tiny/simpledrm.c
> @@ -72,6 +72,7 @@ simplefb_get_validated_format(struct drm_device *dev, 
const char *format_name)
>   	static const struct simplefb_format formats[] = SIMPLEFB_FORMATS;
>   	const struct simplefb_format *fmt = formats;
>   	const struct simplefb_format *end = fmt + ARRAY_SIZE(formats);
> +	const struct drm_format_info *info;
>   
>   	if (!format_name) {
>   		drm_err(dev, "simplefb: missing framebuffer format\n");
> @@ -79,8 +80,12 @@ simplefb_get_validated_format(struct drm_device *dev, const char *format_name)
>   	}
>   
>   	while (fmt < end) {
> -		if (!strcmp(format_name, fmt->name))
> -			return drm_format_info(fmt->fourcc);
> +		if (!strcmp(format_name, fmt->name)) {
> +			info = drm_format_info(fmt->fourcc);
> +			if (!info)
> +				return ERR_PTR(-EINVAL);
> +			return info;
> +		}
>   		++fmt;
>   	}
>   
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]