Function __get_free_page() will return an address refer to NULL when there is no enough memory. Thus the return value of __get_free_page() shall be checked against NULL before used. But in function lkdtm_debugfs_read(), there is no checking of the return value after __get_free_page() is called at drivers/misc/lkdtm.c:467. So an invalid memory access fault may be triggered at line 469, where the return value of __get_free_page() is used. The related code snippets are as following. lkdtm_debugfs_read() @@drivers/misc/lkdtm.c:467 467 buf = (char *)__get_free_page(GFP_KERNEL); 468 469 n = snprintf(buf, PAGE_SIZE, "Available crash types:\n"); Generally, the return value of __get_free_page() are always checked before used. Take do_register_entry(), a function in the same file with lkdtm_debugfs_read(), for example. do_register_entry() @@drivers/misc/lkdtm.c:434 434 buf = (char *)__get_free_page(GFP_KERNEL); 435 if (!buf) 436 return -ENOMEM; 437 if (copy_from_user(buf, user_buf, count)) { 438 free_page((unsigned long) buf); 439 return -EFAULT; 440 } Thank you RUC_Soft_Sec
A patch referencing this bug report has been merged in Linux v3.6-rc1: commit 086ff4b3a7fb9cdf41e6a5d0ccd99b86d84633a1 Author: Alan Cox <alan@linux.intel.com> Date: Mon Jul 30 14:43:24 2012 -0700 drivers/misc/lkdtm.c: fix missing allocation failure check