tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()

In the function bcm_vk_read(), the pointer entry is checked, indicating
that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the
following code may cause null-pointer dereferences:

struct vk_msg_blk tmp_msg = entry->to_h_msg[0];
set_msg_id(&tmp_msg, entry->usr_msg_id);
tmp_msg.size = entry->to_h_blks - 1;

To prevent these possible null-pointer dereferences, copy to_h_msg,
usr_msg_id, and to_h_blks from iter into temporary variables, and return
these temporary variables to the application instead of accessing them
through a potentially NULL entry.

Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Scott Branden <scott.branden@broadcom.com>
Link: https://patch.msgid.link/20251211063637.3987937-1-islituo@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Tuo Li and committed by
Greg Kroah-Hartman ba75ecb9 b54c82d6

+8 -4
+8 -4
drivers/misc/bcm-vk/bcm_vk_msg.c
··· 1010 1010 struct device *dev = &vk->pdev->dev; 1011 1011 struct bcm_vk_msg_chan *chan = &vk->to_h_msg_chan; 1012 1012 struct bcm_vk_wkent *entry = NULL, *iter; 1013 + struct vk_msg_blk tmp_msg; 1014 + u32 tmp_usr_msg_id; 1015 + u32 tmp_blks; 1013 1016 u32 q_num; 1014 1017 u32 rsp_length; 1015 1018 ··· 1037 1034 entry = iter; 1038 1035 } else { 1039 1036 /* buffer not big enough */ 1037 + tmp_msg = iter->to_h_msg[0]; 1038 + tmp_usr_msg_id = iter->usr_msg_id; 1039 + tmp_blks = iter->to_h_blks; 1040 1040 rc = -EMSGSIZE; 1041 1041 } 1042 1042 goto read_loop_exit; ··· 1058 1052 1059 1053 bcm_vk_free_wkent(dev, entry); 1060 1054 } else if (rc == -EMSGSIZE) { 1061 - struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; 1062 - 1063 1055 /* 1064 1056 * in this case, return just the first block, so 1065 1057 * that app knows what size it is looking for. 1066 1058 */ 1067 - set_msg_id(&tmp_msg, entry->usr_msg_id); 1068 - tmp_msg.size = entry->to_h_blks - 1; 1059 + set_msg_id(&tmp_msg, tmp_usr_msg_id); 1060 + tmp_msg.size = tmp_blks - 1; 1069 1061 if (copy_to_user(buf, &tmp_msg, VK_MSGQ_BLK_SIZE) != 0) { 1070 1062 dev_err(dev, "Error return 1st block in -EMSGSIZE\n"); 1071 1063 rc = -EFAULT;