Bug 44691
| Summary: | Missing NULL check of the return value of __get_free_pages() in function lkdtm_debugfs_read() | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | RUC_Soft_Sec (rucsoftsec) |
| Component: | Other | Assignee: | Alan (alan) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | alan, florian |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.39 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
A patch referencing this bug report has been merged in Linux v3.6-rc1: commit 086ff4b3a7fb9cdf41e6a5d0ccd99b86d84633a1 Author: Alan Cox <alan@linux.intel.com> Date: Mon Jul 30 14:43:24 2012 -0700 drivers/misc/lkdtm.c: fix missing allocation failure check |
Function __get_free_page() will return an address refer to NULL when there is no enough memory. Thus the return value of __get_free_page() shall be checked against NULL before used. But in function lkdtm_debugfs_read(), there is no checking of the return value after __get_free_page() is called at drivers/misc/lkdtm.c:467. So an invalid memory access fault may be triggered at line 469, where the return value of __get_free_page() is used. The related code snippets are as following. lkdtm_debugfs_read() @@drivers/misc/lkdtm.c:467 467 buf = (char *)__get_free_page(GFP_KERNEL); 468 469 n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); Generally, the return value of __get_free_page() are always checked before used. Take do_register_entry(), a function in the same file with lkdtm_debugfs_read(), for example. do_register_entry() @@drivers/misc/lkdtm.c:434 434 buf = (char *)__get_free_page(GFP_KERNEL); 435 if (!buf) 436 return -ENOMEM; 437 if (copy_from_user(buf, user_buf, count)) { 438 free_page((unsigned long) buf); 439 return -EFAULT; 440 } Thank you RUC_Soft_Sec