linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] mtd/redboot: avoid null pointer deref
@ 2016-12-21 23:25 Jason A. Donenfeld
  2017-01-03  2:22 ` Marek Vasut
  0 siblings, 1 reply; 2+ messages in thread
From: Jason A. Donenfeld @ 2016-12-21 23:25 UTC (permalink / raw)
  To: David Woodhouse, Brian Norris, linux-mtd, linux-kernel; +Cc: Jason A. Donenfeld

By giving a bogus partition name, it's possible to trigger a null
pointer dereference.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 drivers/mtd/redboot.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/mtd/redboot.c b/drivers/mtd/redboot.c
index 7623ac5fc586..53949ef80d36 100644
--- a/drivers/mtd/redboot.c
+++ b/drivers/mtd/redboot.c
@@ -212,6 +212,10 @@ static int parse_redboot_partitions(struct mtd_info *master,
 
 		nrparts++;
 	}
+	if (!fl) {
+		ret = -EINVAL;
+		goto out;
+	}
 #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
 	if (fl->img->flash_base) {
 		nrparts++;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] mtd/redboot: avoid null pointer deref
  2016-12-21 23:25 [PATCH] mtd/redboot: avoid null pointer deref Jason A. Donenfeld
@ 2017-01-03  2:22 ` Marek Vasut
  0 siblings, 0 replies; 2+ messages in thread
From: Marek Vasut @ 2017-01-03  2:22 UTC (permalink / raw)
  To: Jason A. Donenfeld, David Woodhouse, Brian Norris, linux-mtd,
	linux-kernel

On 12/22/2016 12:25 AM, Jason A. Donenfeld wrote:
> By giving a bogus partition name, it's possible to trigger a null
> pointer dereference.
> 
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Nice catch. It'd be great to have the condition which can be used to
trigger this problem in the commit message. I presume this happens if
buf[i].name[0] = 0xff for all $i, right ?

So please expand the explanation and add my Ack for V2:
Acked-by: Marek Vasut <marek.vasut@gmail.com>

Thanks

> ---
>  drivers/mtd/redboot.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/mtd/redboot.c b/drivers/mtd/redboot.c
> index 7623ac5fc586..53949ef80d36 100644
> --- a/drivers/mtd/redboot.c
> +++ b/drivers/mtd/redboot.c
> @@ -212,6 +212,10 @@ static int parse_redboot_partitions(struct mtd_info *master,
>  
>  		nrparts++;
>  	}
> +	if (!fl) {
> +		ret = -EINVAL;
> +		goto out;
> +	}
>  #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
>  	if (fl->img->flash_base) {
>  		nrparts++;
> 


-- 
Best regards,
Marek Vasut

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-03  2:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-21 23:25 [PATCH] mtd/redboot: avoid null pointer deref Jason A. Donenfeld
2017-01-03  2:22 ` Marek Vasut

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).