When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.
Signed-off-by: Rodrigo Vivi rodrigo.vivi@gmail.com --- drivers/gpu/drm/drm_drv.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index 1490e76..5945920 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -452,8 +452,16 @@ long drm_ioctl(struct file *filp, retcode = -EFAULT; goto err_i1; } - } else + } else { + if (!kdata) { + kdata = kmalloc(usize, GFP_KERNEL); + if (!kdata) { + retcode = -ENOMEM; + goto err_i1; + } + } memset(kdata, 0, usize); + }
if (ioctl->flags & DRM_UNLOCKED) retcode = func(dev, kdata, file_priv);
On Tue, 9 Oct 2012 14:50:46 -0300, Rodrigo Vivi rodrigo.vivi@gmail.com wrote:
When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.
usize should be 0 in that case, since the ioctl is neither copying data in or out, for example I915_GEM_THROTTLE. To be on the safe side: if (IOC_IN | IOC_OUT) { /* blah */ } else usize = 0; -Chris
When cmd isn't IOC_IN | IOC_OUT a null "kdata" goes to "memset", which dereferences it.
v2: simpler version just using usize = 0 instead of allocating useless memory
Signed-off-by: Rodrigo Vivi rodrigo.vivi@gmail.com --- drivers/gpu/drm/drm_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index 1490e76..f72dce5 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -444,7 +444,8 @@ long drm_ioctl(struct file *filp, } if (asize > usize) memset(kdata + usize, 0, asize - usize); - } + } else + usize = 0;
if (cmd & IOC_IN) { if (copy_from_user(kdata, (void __user *)arg,
On Tue, 9 Oct 2012 16:56:58 -0300, Rodrigo Vivi rodrigo.vivi@gmail.com wrote:
Presuming that coverity is smart enough not to complain about memcpy(NULL, src, 0),
Reviewed-by: Chris Wilson chris@chris-wilson.co.uk -Chris
dri-devel@lists.freedesktop.org
-
Chris Wilson -
Rodrigo Vivi