Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Sep 2018 02:41:31 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 231354] Potential null pointer deference in drm/r128
Message-ID:  <bug-231354-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231354

            Bug ID: 231354
           Summary: Potential null pointer deference in drm/r128
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: yangx92@hotmail.com

Created attachment 197085
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D197085&action=
=3Dedit
Patch of potential null pointer deference

There is a potential null pointer deference vulnerability in drm/r128_cce.c=
 and
drm/r128_state.c.


    drm/r128: Add test for initialisation to all ioctls that require it

    Almost all r128's private ioctls require that the CCE state has
    already been initialised.  However, most do not test that this has
    been done, and will proceed to dereference a null pointer.  This may
    result in a security vulnerability, since some ioctls are
    unprivileged.

    This adds a macro for the common initialisation test and changes all
    ioctl implementations that require prior initialisation to use that
    macro.

    Also, r128_do_init_cce() does not test that the CCE state has not
    been initialised already.  Repeated initialisation may lead to a crash
    or resource leak.  This adds that test.


352 static int r128_do_init_cce(struct drm_device * dev, drm_r128_init_t *
init)
353 {
354         drm_r128_private_t *dev_priv;
355=20
356         DRM_DEBUG("\n");
357=20
358         dev_priv =3D drm_alloc(sizeof(drm_r128_private_t), DRM_MEM_DRIV=
ER);
359         if (dev_priv =3D=3D NULL)
360                 return -ENOMEM;
361=20
362         memset(dev_priv, 0, sizeof(drm_r128_private_t));
363=20
364         dev_priv->is_pci =3D init->is_pci;
365=20
366         if (dev_priv->is_pci && !dev->sg) {
367                 DRM_ERROR("PCI GART memory not allocated!\n");
368                 dev->dev_private =3D (void *)dev_priv;
369                 r128_do_cleanup_cce(dev);
370                 return -EINVAL;
371         }

For example, there is missing check for dev->dev_private before line 358 in
r128_do_init_cce in sys/dev/drm/r128_cce.c.


Patch of this vulnerability is attached as an attachment.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231354-227>