Bug 44691 - Missing NULL check of the return value of __get_free_pages() in function lkdtm_debugfs_read()
Summary: Missing NULL check of the return value of __get_free_pages() in function lkdt...
Alias: None
Product: Drivers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Alan
Depends on:
Reported: 2012-07-13 08:22 UTC by RUC_Soft_Sec
Modified: 2012-08-04 19:08 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.39
Tree: Mainline
Regression: No


Description RUC_Soft_Sec 2012-07-13 08:22:20 UTC
Function __get_free_page() will return an address refer to NULL when there is no enough memory. Thus the return value of __get_free_page() shall be checked against NULL before used. But in function lkdtm_debugfs_read(), there is no checking of the return value after __get_free_page() is called at drivers/misc/lkdtm.c:467. So an invalid memory access fault may be triggered at line 469, where the return value of __get_free_page() is used.
The related code snippets are as following.
lkdtm_debugfs_read() @@drivers/misc/lkdtm.c:467
 467        buf = (char *)__get_free_page(GFP_KERNEL);
 469        n = snprintf(buf, PAGE_SIZE, "Available crash types:\n");

Generally, the return value of __get_free_page() are always checked before used. Take do_register_entry(), a function in the same file with lkdtm_debugfs_read(), for example.
do_register_entry() @@drivers/misc/lkdtm.c:434
 434        buf = (char *)__get_free_page(GFP_KERNEL);
 435        if (!buf)
 436                return -ENOMEM;
 437        if (copy_from_user(buf, user_buf, count)) {
 438                free_page((unsigned long) buf);
 439                return -EFAULT;
 440        }

Thank you

Comment 1 Florian Mickler 2012-08-04 19:06:27 UTC
A patch referencing this bug report has been merged in Linux v3.6-rc1:

commit 086ff4b3a7fb9cdf41e6a5d0ccd99b86d84633a1
Author: Alan Cox <alan@linux.intel.com>
Date:   Mon Jul 30 14:43:24 2012 -0700

    drivers/misc/lkdtm.c: fix missing allocation failure check

Note You need to log in before you can comment on or make changes to this bug.