Bug 44691

Summary: Missing NULL check of the return value of __get_free_pages() in function lkdtm_debugfs_read()
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: OtherAssignee: Alan (alan)
Severity: normal CC: alan, florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.39 Tree: Mainline
Regression: No

Description RUC_Soft_Sec 2012-07-13 08:22:20 UTC
Function __get_free_page() will return an address refer to NULL when there is no enough memory. Thus the return value of __get_free_page() shall be checked against NULL before used. But in function lkdtm_debugfs_read(), there is no checking of the return value after __get_free_page() is called at drivers/misc/lkdtm.c:467. So an invalid memory access fault may be triggered at line 469, where the return value of __get_free_page() is used.
The related code snippets are as following.
lkdtm_debugfs_read() @@drivers/misc/lkdtm.c:467
 467        buf = (char *)__get_free_page(GFP_KERNEL);
 469        n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");

Generally, the return value of __get_free_page() are always checked before used. Take do_register_entry(), a function in the same file with lkdtm_debugfs_read(), for example.
do_register_entry() @@drivers/misc/lkdtm.c:434
 434        buf = (char *)__get_free_page(GFP_KERNEL);
 435        if (!buf)
 436                return -ENOMEM;
 437        if (copy_from_user(buf, user_buf, count)) {
 438                free_page((unsigned long) buf);
 439                return -EFAULT;
 440        }

Thank you

Comment 1 Florian Mickler 2012-08-04 19:06:27 UTC
A patch referencing this bug report has been merged in Linux v3.6-rc1:

commit 086ff4b3a7fb9cdf41e6a5d0ccd99b86d84633a1
Author: Alan Cox <alan@linux.intel.com>
Date:   Mon Jul 30 14:43:24 2012 -0700

    drivers/misc/lkdtm.c: fix missing allocation failure check