Bug 9573 - NULL pointer dereference on drivers/usb/serial/whiteheat.c
Summary: NULL pointer dereference on drivers/usb/serial/whiteheat.c
Status: CLOSED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: USB (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Greg Kroah-Hartman
URL:
Keywords:
Depends on:
Blocks: USB
  Show dependency tree
 
Reported: 2007-12-15 07:08 UTC by Marcio Buss
Modified: 2008-09-22 10:44 UTC (History)
0 users

See Also:
Kernel Version: 2.6.23
Subsystem:
Regression: ---
Bisected commit-id:


Attachments

Description Marcio Buss 2007-12-15 07:08:51 UTC
There's a null pointer dereference on drivers/usb/serial/whiteheat.c as follows:

(1) line 613:  the test "if (port->tty)" implies that null is a legal value
    for "port->tty" at that point

(2) neither firm_open nor firm_purge initialize "port->tty"

(3) line 630: "port->tty" is dereferenced at statement
    old_term.c_cflag = ~port->tty->termios->c_cflag;
Comment 1 Anonymous Emailer 2007-12-15 20:23:55 UTC
Reply-To: akpm@linux-foundation.org

On Sat, 15 Dec 2007 07:08:52 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=9573
> 
>            Summary: NULL pointer dereference on
>                     drivers/usb/serial/whiteheat.c
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.23
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: marciobuss@gmail.com
> 
> 
> There's a null pointer dereference on drivers/usb/serial/whiteheat.c as
> follows:
> 
> (1) line 613:  the test "if (port->tty)" implies that null is a legal value
>     for "port->tty" at that point
> 
> (2) neither firm_open nor firm_purge initialize "port->tty"
> 
> (3) line 630: "port->tty" is dereferenced at statement
>     old_term.c_cflag = ~port->tty->termios->c_cflag;
> 
> 
> -- 
> Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.
Comment 2 Anonymous Emailer 2007-12-20 03:22:48 UTC
Reply-To: oliver@neukum.org

Am Sonntag, 16. Dezember 2007 05:23:47 schrieb Andrew Morton:
> On Sat, 15 Dec 2007 07:08:52 -0800 (PST) bugme-daemon@bugzilla.kernel.org
> wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=9573
 
> > There's a null pointer dereference on drivers/usb/serial/whiteheat.c as
> > follows:
> > 
> > (1) line 613:  the test "if (port->tty)" implies that null is a legal value
> >     for "port->tty" at that point
> > 
> > (2) neither firm_open nor firm_purge initialize "port->tty"

drivers/usb/serial/usb-serial::serial_open() sets port->tty
The check for NULL is bogus. This patch removes the check.

Signed-off-by: Oliver Neukum <oneukum@suse.de>

	Regards
		Oliver

----

--- a/drivers/usb/serial/whiteheat.c	2007-12-20 11:55:55.000000000 +0100
+++ b/drivers/usb/serial/whiteheat.c	2007-12-20 11:56:20.000000000 +0100
@@ -610,8 +610,7 @@ static int whiteheat_open (struct usb_se
 	if (retval)
 		goto exit;
 
-	if (port->tty)
-		port->tty->low_latency = 1;
+	port->tty->low_latency = 1;
 
 	/* send an open port command */
 	retval = firm_open(port);
Comment 3 Alan 2007-12-20 07:59:45 UTC
On Thu, 20 Dec 2007 12:23:03 +0100
Oliver Neukum <oliver@neukum.org> wrote:

> Am Sonntag, 16. Dezember 2007 05:23:47 schrieb Andrew Morton:
> > On Sat, 15 Dec 2007 07:08:52 -0800 (PST) bugme-daemon@bugzilla.kernel.org
> wrote:
> > 
> > > http://bugzilla.kernel.org/show_bug.cgi?id=9573
>  
> > > There's a null pointer dereference on drivers/usb/serial/whiteheat.c as
> > > follows:
> > > 
> > > (1) line 613:  the test "if (port->tty)" implies that null is a legal
> value
> > >     for "port->tty" at that point
> > > 
> > > (2) neither firm_open nor firm_purge initialize "port->tty"
> 
> drivers/usb/serial/usb-serial::serial_open() sets port->tty
> The check for NULL is bogus. This patch removes the check.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.de>

USB serial is full of these. Happy hunting

Acked-by: Alan Cox <alan@redhat.com>
Comment 4 Alan 2008-09-22 10:44:17 UTC
Resolved - actually the test was needed due to console interfaces

Note You need to log in before you can comment on or make changes to this bug.