Bug 49241

Summary: [PATCH]Unsafe dereference of pointer after allocing memory
Product: SCSI Drivers Reporter: Yeping Yang (yangyeping_666)
Component: OtherAssignee: Alan (alan)
Status: RESOLVED CODE_FIX    
Severity: normal CC: alan, linux-scsi
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.0.47 Subsystem:
Regression: No Bisected commit-id:

Description Yeping Yang 2012-10-22 09:35:46 UTC 
Vulnerability kind: Null-pointer dereference
The file path containing this vulnerability: drivers/scsi/mac_scsi.c
Line number: 290
Severity: medium
Code fragment (from line 270 to line 290):


 instance = scsi_register (tpnt, sizeof(struct NCR5380_hostdata));
#if NDEBUG
    default_instance = instance;
#endif
    
    if (macintosh_config->ident == MAC_MODEL_IIFX) {
        mac_scsi_regp  = via1+0x8000;
        mac_scsi_drq   = via1+0xE000;
        mac_scsi_nodrq = via1+0xC000;
        /* The IIFX should be able to do true DMA, but pseudo-dma doesn't work */
        flags = FLAG_NO_PSEUDO_DMA;
    } else {
        mac_scsi_regp  = via1+0x10000;
        mac_scsi_drq   = via1+0x6000;
        mac_scsi_nodrq = via1+0x12000;
    }

    if (! setup_use_pdma)
        flags = FLAG_NO_PSEUDO_DMA;
        
    instance->io_port = (unsigned long) mac_scsi_regp;

Description: The variable "instance" is defined at line 270 via function "scsi_register" but is not sanity-checked.Then it is dereferenced at line 290.