207115 – Possible null pointer dereference in con_init()

Bug 207115 - Possible null pointer dereference in con_init()

Summary: Possible null pointer dereference in con_init()

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Console/Framebuffers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	James Simmons

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-05 15:34 UTC by Dongyang Zhan
Modified:	2020-04-05 15:34 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	Linux 4.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dongyang Zhan 2020-04-05 15:34:26 UTC

In Linux 4.17, function con_init() in /drivers/tty/vt/vt.c forgets to handle the failure of the memory allocation operation (e.g., vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT)).

Source code link:
https://elixir.bootlin.com/linux/v4.10.17/source/drivers/tty/vt/vt.c#L2959

Source code and comments；
vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT);
		INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
		tty_port_init(&vc->port);
		visual_init(vc, currcons, 1);
		vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT);
		vc_init(vc, vc->vc_rows, vc->vc_cols,
			currcons || !vc->vc_sw->con_save_screen);

If the allocation fails, referencing vc will cause a null pointer dereference.

Note You need to log in before you can comment on or make changes to this bug.