Date: Fri, 14 Sep 2018 02:41:31 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231354] Potential null pointer deference in drm/r128 Message-ID: <bug-231354-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231354 Bug ID: 231354 Summary: Potential null pointer deference in drm/r128 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 197085 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D197085&action= =3Dedit Patch of potential null pointer deference There is a potential null pointer deference vulnerability in drm/r128_cce.c= and drm/r128_state.c. drm/r128: Add test for initialisation to all ioctls that require it Almost all r128's private ioctls require that the CCE state has already been initialised. However, most do not test that this has been done, and will proceed to dereference a null pointer. This may result in a security vulnerability, since some ioctls are unprivileged. This adds a macro for the common initialisation test and changes all ioctl implementations that require prior initialisation to use that macro. Also, r128_do_init_cce() does not test that the CCE state has not been initialised already. Repeated initialisation may lead to a crash or resource leak. This adds that test. 352 static int r128_do_init_cce(struct drm_device * dev, drm_r128_init_t * init) 353 { 354 drm_r128_private_t *dev_priv; 355=20 356 DRM_DEBUG("\n"); 357=20 358 dev_priv =3D drm_alloc(sizeof(drm_r128_private_t), DRM_MEM_DRIV= ER); 359 if (dev_priv =3D=3D NULL) 360 return -ENOMEM; 361=20 362 memset(dev_priv, 0, sizeof(drm_r128_private_t)); 363=20 364 dev_priv->is_pci =3D init->is_pci; 365=20 366 if (dev_priv->is_pci && !dev->sg) { 367 DRM_ERROR("PCI GART memory not allocated!\n"); 368 dev->dev_private =3D (void *)dev_priv; 369 r128_do_cleanup_cce(dev); 370 return -EINVAL; 371 } For example, there is missing check for dev->dev_private before line 358 in r128_do_init_cce in sys/dev/drm/r128_cce.c. Patch of this vulnerability is attached as an attachment. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231354-227>