Linux-Sparse Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] fix null pointer deref on return expression with invalid type
@ 2020-10-16 22:28 Luc Van Oostenryck
  0 siblings, 0 replies; only message in thread
From: Luc Van Oostenryck @ 2020-10-16 22:28 UTC (permalink / raw)
  To: linux-sparse; +Cc: Luc Van Oostenryck

If the evaluation of the return expression failed a following test
can dereference the pointer holding the expression's type ...
which is null. Bad.

Fix this by adding the missing null pointer test.

Fixes: 3bc32d46494c404df7905fceaca9156830ff97f1
Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
---
 evaluate.c                         | 2 +-
 validation/crash-undef-in-parens.c | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 validation/crash-undef-in-parens.c

diff --git a/evaluate.c b/evaluate.c
index 3ff76fa85e14..16e11fe1b5a2 100644
--- a/evaluate.c
+++ b/evaluate.c
@@ -3611,7 +3611,7 @@ static struct symbol *evaluate_return_expression(struct statement *stmt)
 	fntype = current_fn->ctype.base_type;
 	rettype = fntype->ctype.base_type;
 	if (!rettype || rettype == &void_ctype) {
-		if (expr && !is_void_type(expr->ctype))
+		if (expr && expr->ctype && !is_void_type(expr->ctype))
 			expression_error(expr, "return expression in %s function", rettype?"void":"typeless");
 		if (expr && Wreturn_void)
 			warning(stmt->pos, "returning void-valued expression");
diff --git a/validation/crash-undef-in-parens.c b/validation/crash-undef-in-parens.c
new file mode 100644
index 000000000000..5f05f88a6776
--- /dev/null
+++ b/validation/crash-undef-in-parens.c
@@ -0,0 +1,9 @@
+void foo(void) { return (UNDEF_STUFF_IN_PARENS); }
+
+/*
+ * check-name: crash-undef-in-parens
+ *
+ * check-error-start
+crash-undef-in-parens.c:1:26: error: undefined identifier 'UNDEF_STUFF_IN_PARENS'
+ * check-error-end
+ */
-- 
2.28.0


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-16 22:28 [PATCH] fix null pointer deref on return expression with invalid type Luc Van Oostenryck

Linux-Sparse Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-sparse/0 linux-sparse/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-sparse linux-sparse/ https://lore.kernel.org/linux-sparse \
		linux-sparse@vger.kernel.org
	public-inbox-index linux-sparse

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-sparse


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git