There's a null pointer dereference on drivers/usb/serial/whiteheat.c as follows: (1) line 613: the test "if (port->tty)" implies that null is a legal value for "port->tty" at that point (2) neither firm_open nor firm_purge initialize "port->tty" (3) line 630: "port->tty" is dereferenced at statement old_term.c_cflag = ~port->tty->termios->c_cflag;
Reply-To: akpm@linux-foundation.org On Sat, 15 Dec 2007 07:08:52 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=9573 > > Summary: NULL pointer dereference on > drivers/usb/serial/whiteheat.c > Product: Drivers > Version: 2.5 > KernelVersion: 2.6.23 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: USB > AssignedTo: greg@kroah.com > ReportedBy: marciobuss@gmail.com > > > There's a null pointer dereference on drivers/usb/serial/whiteheat.c as > follows: > > (1) line 613: the test "if (port->tty)" implies that null is a legal value > for "port->tty" at that point > > (2) neither firm_open nor firm_purge initialize "port->tty" > > (3) line 630: "port->tty" is dereferenced at statement > old_term.c_cflag = ~port->tty->termios->c_cflag; > > > -- > Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email > ------- You are receiving this mail because: ------- > You are on the CC list for the bug, or are watching someone who is.
Reply-To: oliver@neukum.org Am Sonntag, 16. Dezember 2007 05:23:47 schrieb Andrew Morton: > On Sat, 15 Dec 2007 07:08:52 -0800 (PST) bugme-daemon@bugzilla.kernel.org > wrote: > > > http://bugzilla.kernel.org/show_bug.cgi?id=9573 > > There's a null pointer dereference on drivers/usb/serial/whiteheat.c as > > follows: > > > > (1) line 613: the test "if (port->tty)" implies that null is a legal value > > for "port->tty" at that point > > > > (2) neither firm_open nor firm_purge initialize "port->tty" drivers/usb/serial/usb-serial::serial_open() sets port->tty The check for NULL is bogus. This patch removes the check. Signed-off-by: Oliver Neukum <oneukum@suse.de> Regards Oliver ---- --- a/drivers/usb/serial/whiteheat.c 2007-12-20 11:55:55.000000000 +0100 +++ b/drivers/usb/serial/whiteheat.c 2007-12-20 11:56:20.000000000 +0100 @@ -610,8 +610,7 @@ static int whiteheat_open (struct usb_se if (retval) goto exit; - if (port->tty) - port->tty->low_latency = 1; + port->tty->low_latency = 1; /* send an open port command */ retval = firm_open(port);
On Thu, 20 Dec 2007 12:23:03 +0100 Oliver Neukum <oliver@neukum.org> wrote: > Am Sonntag, 16. Dezember 2007 05:23:47 schrieb Andrew Morton: > > On Sat, 15 Dec 2007 07:08:52 -0800 (PST) bugme-daemon@bugzilla.kernel.org > wrote: > > > > > http://bugzilla.kernel.org/show_bug.cgi?id=9573 > > > > There's a null pointer dereference on drivers/usb/serial/whiteheat.c as > > > follows: > > > > > > (1) line 613: the test "if (port->tty)" implies that null is a legal > value > > > for "port->tty" at that point > > > > > > (2) neither firm_open nor firm_purge initialize "port->tty" > > drivers/usb/serial/usb-serial::serial_open() sets port->tty > The check for NULL is bogus. This patch removes the check. > > Signed-off-by: Oliver Neukum <oneukum@suse.de> USB serial is full of these. Happy hunting Acked-by: Alan Cox <alan@redhat.com>
Resolved - actually the test was needed due to console interfaces