207119 – Possible null pointer dereference in rand_initialize()

Bug 207119 - Possible null pointer dereference in rand_initialize()

Summary: Possible null pointer dereference in rand_initialize()

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Console/Framebuffers (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	James Simmons

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-04-05 15:46 UTC by Dongyang Zhan
Modified:	2020-04-05 15:46 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	Linux 4.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Dongyang Zhan 2020-04-05 15:46:12 UTC

In Linux 4.17, rand_initialize() in /drivers/char/random.c does not handles the failure of memory allocation. When crng = kmalloc_node(sizeof(struct crng_state),
GFP_KERNEL | __GFP_NOFAIL, i) fails, accessing this pointer memory via this pointer crng->lock will cause a null pointer dereference bug.

Source code link:
https://elixir.bootlin.com/linux/v4.10.17/source/drivers/char/random.c#L1656

Source code:
crng = kmalloc_node(sizeof(struct crng_state),
				    GFP_KERNEL | __GFP_NOFAIL, i);
		spin_lock_init(&crng->lock); // dose not check if crng is null.
		crng_initialize(crng);

Note You need to log in before you can comment on or make changes to this bug.