9572 – Dereferencing NULL pointer on drivers/usb/serial/mos7720.c

Bug 9572 - Dereferencing NULL pointer on drivers/usb/serial/mos7720.c

Summary: Dereferencing NULL pointer on drivers/usb/serial/mos7720.c

Status:	CLOSED CODE_FIX

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	USB (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Greg Kroah-Hartman

URL:
Keywords:

Depends on:
Blocks:	USB
	Show dependency tree

Reported:	2007-12-15 06:53 UTC by Marcio Buss
Modified:	2008-09-22 10:42 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	2.6.23
Subsystem:
Regression:	---
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marcio Buss 2007-12-15 06:53:47 UTC

There is a NULL pointer dereference on drivers/usb/serial/mos7720.c
The error can be tracked down as follows:

(1) line 568: there's a test "if (serial->dev)" implying that
    null is a legal value for "serial->dev" at that point

(2) line 576: "serial" is passed in as an argument to "send_mos_cmd"

(3) line 282: "send_mos_cmd" unconditionally dereferences serial->dev
    at expression "le16_to_cpu(serial->dev->descriptor.idProduct)

Comment 1 Anonymous Emailer 2007-12-15 20:23:39 UTC

Reply-To: akpm@linux-foundation.org

On Sat, 15 Dec 2007 06:53:48 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=9572
> 
>            Summary: Dereferencing NULL pointer on
>                     drivers/usb/serial/mos7720.c
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.23
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: marciobuss@gmail.com
> 
> 
> There is a NULL pointer dereference on drivers/usb/serial/mos7720.c
> The error can be tracked down as follows:
> 
> (1) line 568: there's a test "if (serial->dev)" implying that
>     null is a legal value for "serial->dev" at that point
> 
> (2) line 576: "serial" is passed in as an argument to "send_mos_cmd"
> 
> (3) line 282: "send_mos_cmd" unconditionally dereferences serial->dev
>     at expression "le16_to_cpu(serial->dev->descriptor.idProduct)
>

Comment 2 Anonymous Emailer 2007-12-20 02:48:32 UTC

Reply-To: oliver@neukum.org

Am Sonntag, 16. Dezember 2007 05:23:27 schrieb Andrew Morton:
> On Sat, 15 Dec 2007 06:53:48 -0800 (PST) bugme-daemon@bugzilla.kernel.org
> wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=9572
> > 
> >            Summary: Dereferencing NULL pointer on
> >                     drivers/usb/serial/mos7720.c
> >            Product: Drivers
> >            Version: 2.5
> >      KernelVersion: 2.6.23
> >           Platform: All
> >         OS/Version: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: USB
> >         AssignedTo: greg@kroah.com
> >         ReportedBy: marciobuss@gmail.com
> > 
> > 
> > There is a NULL pointer dereference on drivers/usb/serial/mos7720.c
> > The error can be tracked down as follows:
> > 
> > (1) line 568: there's a test "if (serial->dev)" implying that
> >     null is a legal value for "serial->dev" at that point
> > 
> > (2) line 576: "serial" is passed in as an argument to "send_mos_cmd"
> > 
> > (3) line 282: "send_mos_cmd" unconditionally dereferences serial->dev
> >     at expression "le16_to_cpu(serial->dev->descriptor.idProduct)

I see no way serial->dev may become NULL. The test looks superfluous.
Did you get an oops or is this result of a checking tool?

	Regards
		Oliver

Comment 3 Alan 2008-09-22 10:42:01 UTC

Test removed upstream

Note You need to log in before you can comment on or make changes to this bug.