Bug 9567
| Summary: | NULL pointer dereference on file drivers/video/w100fb.c | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | Marcio Buss (marciobuss) |
| Component: | Video(Other) | Assignee: | Jeff Zhou (xinzhou.sjtu) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | akpm |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.23 | Subsystem: | |
| Regression: | --- | Bisected commit-id: | |
well, I think it's quite obvious that the NULL pointer check is forgotten,
and during the driver test, the routine that 'info' allocation failure
hasn't been tested.
+ line 767, the original source:
out:
fb_dealloc_cmap(&info->cmap);
kfree(info->pseudo_palette);
if (remapped_fbuf != NULL)
iounmap(remapped_fbuf);
if (remapped_regs != NULL)
iounmap(remapped_regs);
if (remapped_base != NULL)
iounmap(remapped_base);
if (info)
framebuffer_release(info);
return err;
}
The release process mainly concerns on
1) umap the fbuf, registers and memory base
2) free the info struct.
And these two do not have relations with each other,
so I think it's better if we change the code like this:
+ line 767, the modified source:
out:
if (remapped_fbuf != NULL)
iounmap(remapped_fbuf);
if (remapped_regs != NULL)
iounmap(remapped_regs);
if (remapped_base != NULL)
iounmap(remapped_base);
if (info) {
fb_dealloc_cmap(&info->cmap);
kfree(info->pseudo_palette);
framebuffer_release(info);
}
return err;
}
Please propose a patch and mail it to myself and linux-fbdev-devel@lists.sourceforge.net, thanks. I queued a fix, thanks. |
On file /drivers/video/w100fb.c there is a null pointer dereference. There are many paths to the error. One example path is as follows: (1) The condition at line 643 is true (2) the statement "goto out" at line 644 is then executed, making the program to jump to line 767 (3) the expression fb_dealloc_cmap(&info->cmap) takes place with a null pointer "info". Another path, which makes the error even more apparent, is: (1) The condition at line 671, "if (!info)" is true (2) the statement "goto out" at line 673 is executed (3) the program jumps to line 767, and the same error occurs.