Bug 9063

Summary: NULL pointer dereference in drivers/base/platform.c:platform_uevent
Product: Drivers Reporter: Török Edwin (edwin+bugs)
Component: OtherAssignee: drivers_other
Status: CLOSED PATCH_ALREADY_AVAILABLE    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.23-rc6-hrt1-gc87ce658-dirty Subsystem:
Regression: --- Bisected commit-id:

Description Török Edwin 2007-09-24 12:11:54 UTC 
Most recent kernel where this bug did not occur:
Distribution: Debian sid
Hardware Environment: AMD Athlon(tm) 64 Processor 3200+
Software Environment: gcc 4.2.1
Problem Description:
platform_uevent can dereference null pointer, and I get an oops.
Call Trace:
 [<ffffffff8032bf2b>] vsnprintf+0x36b/0x6e0
 [<ffffffff8032c2f1>] sprintf+0x51/0x60
 [<ffffffff803a34d2>] platform_uevent+0x22/0x30
 [<ffffffff8039f979>] dev_uevent+0x139/0x220
 [<ffffffff8039ead9>] show_uevent+0xe9/0x170
 [<ffffffff80276cc0>] __alloc_pages+0xa0/0x360
 [<ffffffff802e8882>] sysfs_read_file+0xa2/0x150
 [<ffffffff80298db0>] vfs_read+0xf0/0x170
 [<ffffffff80299243>] sys_read+0x53/0x90
 [<ffffffff8020c0be>] system_call+0x7e/0x83

If you need the entire oops message, please ask.

Steps to reproduce:
$ file /sys/devices/platform/floppy.0/uevent
Killed
look in dmesg to see the oops.

Looking at the code pdev->name isn't checked for NULL.

Why this is a problem: program is killed when opening a file. That is not supposed to happen, think of ftp/http servers, and virus scanners.
If somebody makes a link to that file, your server is dead.
Comment 1 Török Edwin 2007-09-29 07:22:46 UTC 
I upgraded to 2.6.23-rc8, and I couldn't reproduce the problem anymore.
$ file /sys/devices/platform/floppy.0/uevent
/sys/devices/platform/floppy.0/uevent: ASCII text

Both vanilla 2.6.23-rc8 and 2.6.23-rc8-hrt1-cfs-v22-g1bef7dc0-dirty work fine. 
Closing.