Bug 78561 - ft1000 Null pointer dereference in ft1000_hw.c
Summary: ft1000 Null pointer dereference in ft1000_hw.c
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Staging (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_staging@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-20 16:25 UTC by Maksymilian Arciemowicz
Modified: 2014-07-05 00:26 UTC (History)
2 users (show)

See Also:
Kernel Version: 3.15.1
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Maksymilian Arciemowicz 2014-06-20 16:25:14 UTC 
Hi,

Improper use of memcpy() without verifying result from malloc() may cause null pointer dereference

---------------------------
linux-3.15.1/drivers/staging/ft1000/ft1000-usb/ft1000_hw.c

/* send a command to ASIC
*  Parameters:  ft1000_usb  - device structure
*               ptempbuffer - command buffer
*               size - command buffer size
*/
void card_send_command(struct ft1000_usb *ft1000dev, void *ptempbuffer,
               int size)
{
    unsigned short temp;
    unsigned char *commandbuf;
 
    DEBUG("card_send_command: enter card_send_command... size=%d\n", size);
 
    commandbuf = kmalloc(size + 2, GFP_KERNEL); <============== possible NULL
    memcpy((void *)commandbuf + 2, (void *)ptempbuffer, size); <======= CRASH
---------------------------

BR,
Maksymilian Arciemowicz
http://cifrex.org/
Comment 1 Andrey Utkin 2014-07-05 00:26:29 UTC 
Posted the patch: https://patchwork.kernel.org/patch/4486071/
Thanks for the report.
Note You need to log in before you can comment on or make changes to this bug.