Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-25 01:13:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
5fc382d875
linux/net/irda
History
Vegard Nossum d3e6952cfb net/irda: fix NULL pointer dereference on memory allocation failure 
I ran into this:

    kasan: CONFIG_KASAN_INLINE enabled
    kasan: GPF could be caused by NULL-ptr deref or user memory access
    general protection fault: 0000 [#1] PREEMPT SMP KASAN
    CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
    RIP: 0010:[<ffffffff82bbf066>]  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
    RSP: 0018:ffff880111747bb8  EFLAGS: 00010286
    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
    RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
    RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
    R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
    FS:  00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
    Stack:
     0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
     ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
     ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
    Call Trace:
     [<ffffffff82bca542>] irda_connect+0x562/0x1190
     [<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
     [<ffffffff825b4489>] SyS_connect+0x9/0x10
     [<ffffffff8100334c>] do_syscall_64+0x19c/0x410
     [<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
    Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
    RIP  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
     RSP <ffff880111747bb8>
    ---[ end trace 4cda2588bc055b30 ]---

The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.

Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-25 11:24:49 -07:00
..
ircomm tty: Replace ASYNC_INITIALIZED bit and update atomically 2016-04-30 09:26:55 -07:00
irlan treewide: replace dev->trans_start update with helper 2016-05-04 14:16:49 -04:00
irnet irda: replace current->state by set_current_state() 2015-02-23 17:21:11 -05:00
af_irda.c net/irda: fix NULL pointer dereference on memory allocation failure 2016-07-25 11:24:49 -07:00
discovery.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irda_device.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
iriap_event.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
iriap.c irda: Fix build failures after IRDA_DEBUG->pr_debug 2014-11-12 22:01:14 -05:00
irias_object.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irlap_event.c irda: Fix build failures after IRDA_DEBUG->pr_debug 2014-11-12 22:01:14 -05:00
irlap_frame.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irlap.c irda: use msecs_to_jiffies for conversions 2015-01-30 18:08:25 -08:00
irlmp_event.c irda: Fix build failures after IRDA_DEBUG->pr_debug 2014-11-12 22:01:14 -05:00
irlmp_frame.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irlmp.c irda: precedence bug in irlmp_seq_hb_idx() 2015-10-21 07:48:26 -07:00
irmod.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irnetlink.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irproc.c irda: irproc: Fix set-but-unused variables. 2011-04-17 16:59:50 -07:00
irqueue.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irsysctl.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00
irttp.c irda: Convert function pointer arrays and uses to const 2014-12-10 15:33:16 -05:00
Kconfig [S390] Kconfig: unwanted menus for s390. 2007-05-10 15:46:07 +02:00
Makefile [IrDA]: Netlink layer. 2007-07-10 22:16:43 -07:00
parameters.c irda: Convert function pointer arrays and uses to const 2014-12-10 15:33:16 -05:00
qos.c irda: Convert function pointer arrays and uses to const 2014-12-10 15:33:16 -05:00
timer.c irda: use msecs_to_jiffies for conversion to jiffies 2015-05-25 17:46:21 -04:00
wrapper.c irda: Convert IRDA_DEBUG to pr_debug 2014-11-12 13:56:41 -05:00