From owner-freebsd-bugs@freebsd.org Fri Sep 14 02:41:33 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74C3E10A183F for ; Fri, 14 Sep 2018 02:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 1129370B27 for ; Fri, 14 Sep 2018 02:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id C68E810A183E; Fri, 14 Sep 2018 02:41:32 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8AC8D10A183D for ; Fri, 14 Sep 2018 02:41:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 28DAA70B23 for ; Fri, 14 Sep 2018 02:41:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 42D4F25509 for ; Fri, 14 Sep 2018 02:41:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w8E2fV8h051683 for ; Fri, 14 Sep 2018 02:41:31 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w8E2fV7d051682 for bugs@FreeBSD.org; Fri, 14 Sep 2018 02:41:31 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231354] Potential null pointer deference in drm/r128 Date: Fri, 14 Sep 2018 02:41:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: yangx92@hotmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Sep 2018 02:41:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231354 Bug ID: 231354 Summary: Potential null pointer deference in drm/r128 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com Created attachment 197085 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D197085&action= =3Dedit Patch of potential null pointer deference There is a potential null pointer deference vulnerability in drm/r128_cce.c= and drm/r128_state.c. drm/r128: Add test for initialisation to all ioctls that require it Almost all r128's private ioctls require that the CCE state has already been initialised. However, most do not test that this has been done, and will proceed to dereference a null pointer. This may result in a security vulnerability, since some ioctls are unprivileged. This adds a macro for the common initialisation test and changes all ioctl implementations that require prior initialisation to use that macro. Also, r128_do_init_cce() does not test that the CCE state has not been initialised already. Repeated initialisation may lead to a crash or resource leak. This adds that test. 352 static int r128_do_init_cce(struct drm_device * dev, drm_r128_init_t * init) 353 { 354 drm_r128_private_t *dev_priv; 355=20 356 DRM_DEBUG("\n"); 357=20 358 dev_priv =3D drm_alloc(sizeof(drm_r128_private_t), DRM_MEM_DRIV= ER); 359 if (dev_priv =3D=3D NULL) 360 return -ENOMEM; 361=20 362 memset(dev_priv, 0, sizeof(drm_r128_private_t)); 363=20 364 dev_priv->is_pci =3D init->is_pci; 365=20 366 if (dev_priv->is_pci && !dev->sg) { 367 DRM_ERROR("PCI GART memory not allocated!\n"); 368 dev->dev_private =3D (void *)dev_priv; 369 r128_do_cleanup_cce(dev); 370 return -EINVAL; 371 } For example, there is missing check for dev->dev_private before line 358 in r128_do_init_cce in sys/dev/drm/r128_cce.c. Patch of this vulnerability is attached as an attachment. --=20 You are receiving this mail because: You are the assignee for the bug.=