[Bug 274874] A possible null-pointer dereference caused by a data race in sys/dev/firewire/fwdev.c

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274874] A possible null-pointer dereference caused by a data race in sys/dev/firewire/fwdev.c"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274874] A possible null-pointer dereference caused by a data race in sys/dev/firewire/fwdev.c"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 02 Nov 2023 16:42:14 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274874

            Bug ID: 274874
           Summary: A possible null-pointer dereference caused by a data
                    race in sys/dev/firewire/fwdev.c
           Product: Base System
           Version: 14.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: islituo@gmail.com

In the function fw_read(), ir->stproc is first checked to be not NULL:

  } else if (ir->stproc != NULL) {

and then is dereferenced after releasing the protecting lock:

  FW_GUNLOCK(fc);
  fp = (struct fw_pkt *)fwdma_v_addr(ir->buf,
    ir->stproc->poffset + ir->queued);

However, if ir->stproc is set to NULL by other functions such as fw_write()
right after the lock is released, a null-pointer dereference can occur:

  it->stproc = NULL;

-- 
You are receiving this mail because:
You are the assignee for the bug.