Re: [bug report] [media] lirc: prevent use-after free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Young <sean@mess.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-media@vger.kernel.org
Subject: Re: [bug report] [media] lirc: prevent use-after free
Date: Sat, 26 Nov 2016 11:26:14 +0000	[thread overview]
Message-ID: <20161126112614.GA18806@gofer.mess.org> (raw)
In-Reply-To: <20161126095717.GA3150@mwanda>

Hi Dan,

On Sat, Nov 26, 2016 at 12:57:17PM +0300, Dan Carpenter wrote:
> Hello Sean Young,
> 
> The patch afbb110172b9: "[media] lirc: prevent use-after free" from
> Oct 31, 2016, leads to the following static checker warning:
> 
> 	drivers/media/rc/lirc_dev.c:190 lirc_cdev_add()
> 	error: potential null dereference 'cdev'.  (cdev_alloc returns null)
> 
> drivers/media/rc/lirc_dev.c
>    158  static int lirc_cdev_add(struct irctl *ir)
>    159  {
>    160          int retval = -ENOMEM;
>    161          struct lirc_driver *d = &ir->d;
>    162          struct cdev *cdev;
>    163  
>    164          cdev = cdev_alloc();
>    165          if (!cdev)
>    166                  goto err_out;
> 
> Classic one err bug.  Just return directly here.  return -ENOMEM is 100%
> readable but goto err_out is opaque because you first have to scroll
> down to see what err_out does then you have to scroll to the start of
> the function to verify that retval is set.
> 
>    167  
>    168          if (d->fops) {
>    169                  cdev->ops = d->fops;
>    170                  cdev->owner = d->owner;
>    171          } else {
>    172                  cdev->ops = &lirc_dev_fops;
>    173                  cdev->owner = THIS_MODULE;
>    174          }
>    175          retval = kobject_set_name(&cdev->kobj, "lirc%d", d->minor);
>    176          if (retval)
>    177                  goto err_out;
>    178  
>    179          retval = cdev_add(cdev, MKDEV(MAJOR(lirc_base_dev), d->minor), 1);
>    180          if (retval) {
>    181                  kobject_put(&cdev->kobj);
> 
> This is a double free, isn't it?  It should just be goto del_cdev;
> 
>    182                  goto err_out;
>    183          }
>    184  
>    185          ir->cdev = cdev;
>    186  
>    187          return 0;
>    188  
>    189  err_out:
>    190          cdev_del(cdev);
> 
> Can't pass NULLs to this function.
> 
>    191          return retval;
>    192  }

Oh dear! Thanks for reporting this, you're absolutely right. I'll send
out a patch shortly.

Thanks
Sean

next prev parent reply	other threads:[~2016-11-26 11:26 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-26  9:57 [bug report] [media] lirc: prevent use-after free Dan Carpenter
2016-11-26 11:26 ` Sean Young [this message]
2016-11-27 19:01   ` [PATCH] [media] lirc: fix error paths in lirc_cdev_add() Sean Young

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161126112614.GA18806@gofer.mess.org \
    --to=sean@mess.org \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-media@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.