[Bug 231354] Potential null pointer deference in drm/r128

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Sep 14 02:41:33 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231354

            Bug ID: 231354
           Summary: Potential null pointer deference in drm/r128
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

Created attachment 197085
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=197085&action=edit
Patch of potential null pointer deference

There is a potential null pointer deference vulnerability in drm/r128_cce.c and
drm/r128_state.c.


    drm/r128: Add test for initialisation to all ioctls that require it

    Almost all r128's private ioctls require that the CCE state has
    already been initialised.  However, most do not test that this has
    been done, and will proceed to dereference a null pointer.  This may
    result in a security vulnerability, since some ioctls are
    unprivileged.

    This adds a macro for the common initialisation test and changes all
    ioctl implementations that require prior initialisation to use that
    macro.

    Also, r128_do_init_cce() does not test that the CCE state has not
    been initialised already.  Repeated initialisation may lead to a crash
    or resource leak.  This adds that test.


352 static int r128_do_init_cce(struct drm_device * dev, drm_r128_init_t *
init)
353 {
354         drm_r128_private_t *dev_priv;
355 
356         DRM_DEBUG("\n");
357 
358         dev_priv = drm_alloc(sizeof(drm_r128_private_t), DRM_MEM_DRIVER);
359         if (dev_priv == NULL)
360                 return -ENOMEM;
361 
362         memset(dev_priv, 0, sizeof(drm_r128_private_t));
363 
364         dev_priv->is_pci = init->is_pci;
365 
366         if (dev_priv->is_pci && !dev->sg) {
367                 DRM_ERROR("PCI GART memory not allocated!\n");
368                 dev->dev_private = (void *)dev_priv;
369                 r128_do_cleanup_cce(dev);
370                 return -EINVAL;
371         }

For example, there is missing check for dev->dev_private before line 358 in
r128_do_init_cce in sys/dev/drm/r128_cce.c.


Patch of this vulnerability is attached as an attachment.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list