Date: Mon, 21 Oct 2024 04:30:15 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 282237] bhyve: usb_mouse.c segfaults due to incomplete NULL checking Message-ID: <bug-282237-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282237 Bug ID: 282237 Summary: bhyve: usb_mouse.c segfaults due to incomplete NULL checking Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bhyve Assignee: virtualization@FreeBSD.org Reporter: jackdbendtsen@gmail.com Some of the cases inside umouse_request() (usr.sbin/bhyve/usb_mouse.c) use = the data component of an event, while only partially checking if it's NULL. For example: ``` case UREQ(UR_GET_STATUS, UT_READ_INTERFACE): case UREQ(UR_GET_STATUS, UT_READ_ENDPOINT): DPRINTF(("umouse: (UR_GET_STATUS, UT_READ_INTERFACE)")); if (data !=3D NULL && len > 1) { USETW(udata, 0); data->blen =3D len - 2; data->bdone +=3D 2; } eshort =3D data->blen > 0; break; ``` As you can see, 'data' has a NULL check, but then 'data' is immediately deferenced anyway after the check regardless of if it's NULL or not. There are actually four occurrences of this same bug, each in a different c= ase in this switch block. Here's a patch that can be applied to CURRENT that fixes the issue: ``` 533c533 < eshort =3D data->blen > 0; --- > eshort =3D data !=3D NULL && data->blen > 0; 544c544 < eshort =3D data->blen > 0; --- > eshort =3D data !=3D NULL && data->blen > 0; 629c629 < eshort =3D data->blen > 0; --- > eshort =3D data !=3D NULL && data->blen > 0; 638c638 < eshort =3D data->blen > 0; --- > eshort =3D data !=3D NULL && data->blen > 0; ``` Cheers, Jack Bendtsen --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-282237-27103>