linux-serial.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Fwd: Possible null pointer dereference in con_init()
       [not found] <CAFSR4cs_pVwH1Tcf4-pyKr3-TPtvS34Av-2jGA7L4MmTX-_4rw@mail.gmail.com>
@ 2020-05-03  7:20 ` Dongyang Zhan
  2020-05-03  7:44   ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Dongyang Zhan @ 2020-05-03  7:20 UTC (permalink / raw)
  To: linux-serial

Hi,

I am a security researcher, my name is Dongyang Zhan. I found a potential bug.

I hope you can help me to confirm it.

Thank you.

In Linux 4.10.17, function con_init() in /drivers/tty/vt/vt.c forgets
to handle the failure of the memory allocation operation (e.g.,
vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data),
GFP_NOWAIT)).

Source code and comments;
vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT);
INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
tty_port_init(&vc->port);
visual_init(vc, currcons, 1);
vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT);
vc_init(vc, vc->vc_rows, vc->vc_cols,
currcons || !vc->vc_sw->con_save_screen);

If the allocation fails, dereferencing vc will cause a null pointer dereference.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Fwd: Possible null pointer dereference in con_init()
  2020-05-03  7:20 ` Fwd: Possible null pointer dereference in con_init() Dongyang Zhan
@ 2020-05-03  7:44   ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2020-05-03  7:44 UTC (permalink / raw)
  To: Dongyang Zhan; +Cc: linux-serial

On Sun, May 03, 2020 at 03:20:50PM +0800, Dongyang Zhan wrote:
> Hi,
> 
> I am a security researcher, my name is Dongyang Zhan. I found a potential bug.
> 
> I hope you can help me to confirm it.
> 
> Thank you.
> 
> In Linux 4.10.17, function con_init() in /drivers/tty/vt/vt.c forgets
> to handle the failure of the memory allocation operation (e.g.,
> vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data),
> GFP_NOWAIT)).
> 
> Source code and comments;
> vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT);
> INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
> tty_port_init(&vc->port);
> visual_init(vc, currcons, 1);
> vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT);
> vc_init(vc, vc->vc_rows, vc->vc_cols,
> currcons || !vc->vc_sw->con_save_screen);
> 
> If the allocation fails, dereferencing vc will cause a null pointer dereference.

But that allocation can not fail, so all is fine.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-03  7:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CAFSR4cs_pVwH1Tcf4-pyKr3-TPtvS34Av-2jGA7L4MmTX-_4rw@mail.gmail.com>
2020-05-03  7:20 ` Fwd: Possible null pointer dereference in con_init() Dongyang Zhan
2020-05-03  7:44   ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).