From patchwork Fri Apr 25 14:58:38 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tim.gore@intel.com X-Patchwork-Id: 4063781 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 422949F387 for ; Fri, 25 Apr 2014 14:58:49 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4B50C20381 for ; Fri, 25 Apr 2014 14:58:48 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 53817200BE for ; Fri, 25 Apr 2014 14:58:47 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C0CEA6EED0; Fri, 25 Apr 2014 07:58:46 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mga03.intel.com (mga03.intel.com [143.182.124.21]) by gabe.freedesktop.org (Postfix) with ESMTP id A66186EECA for ; Fri, 25 Apr 2014 07:58:43 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by azsmga101.ch.intel.com with ESMTP; 25 Apr 2014 07:58:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.97,927,1389772800"; d="scan'208";a="519760799" Received: from intel.iwi.intel.com ([172.28.253.39]) by fmsmga001.fm.intel.com with ESMTP; 25 Apr 2014 07:58:42 -0700 From: tim.gore@intel.com To: intel-gfx@lists.freedesktop.org Date: Fri, 25 Apr 2014 15:58:38 +0100 Message-Id: <1398437920-17394-2-git-send-email-tim.gore@intel.com> X-Mailer: git-send-email 1.9.2 In-Reply-To: <1398437920-17394-1-git-send-email-tim.gore@intel.com> References: <1398437920-17394-1-git-send-email-tim.gore@intel.com> Subject: [Intel-gfx] [PATCH 1/3] libdrm: fix some potential security issues X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Tim Gore A static analysis of libdrm source code has identified several potential bugs. This commit addresses the critical issues in xf86drm.c, which are all possible null pointer dereferences. NOTE: I have kept to the indenting style already used in this file, which is a mixture of spaces and tabs. Signed-off-by: Tim Gore --- xf86drm.c | 99 +++++++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 64 insertions(+), 35 deletions(-) diff --git a/xf86drm.c b/xf86drm.c index e94f2cd..77b9337 100644 --- a/xf86drm.c +++ b/xf86drm.c @@ -191,12 +191,20 @@ drmHashEntry *drmGetEntry(int fd) if (!drmHashTable) drmHashTable = drmHashCreate(); + if (!drmHashTable) + return NULL; + if (drmHashLookup(drmHashTable, key, &value)) { - entry = drmMalloc(sizeof(*entry)); - entry->fd = fd; - entry->f = NULL; - entry->tagTable = drmHashCreate(); - drmHashInsert(drmHashTable, key, entry); + if ((entry = drmMalloc(sizeof(*entry)))) { + entry->fd = fd; + entry->f = NULL; + if ((entry->tagTable = drmHashCreate())) { + drmHashInsert(drmHashTable, key, entry); + } else { + drmFree(entry); + entry = NULL; + } + } } else { entry = value; } @@ -743,6 +751,9 @@ drmVersionPtr drmGetVersion(int fd) drmVersionPtr retval; drm_version_t *version = drmMalloc(sizeof(*version)); + if (!version) + return NULL; + version->name_len = 0; version->name = NULL; version->date_len = 0; @@ -774,7 +785,8 @@ drmVersionPtr drmGetVersion(int fd) if (version->desc_len) version->desc[version->desc_len] = '\0'; retval = drmMalloc(sizeof(*retval)); - drmCopyVersion(retval, version); + if (retval) + drmCopyVersion(retval, version); drmFreeKernelVersion(version); return retval; } @@ -797,6 +809,9 @@ drmVersionPtr drmGetLibVersion(int fd) { drm_version_t *version = drmMalloc(sizeof(*version)); + if (!version) + return NULL; + /* Version history: * NOTE THIS MUST NOT GO ABOVE VERSION 1.X due to drivers needing it * revision 1.0.x = original DRM interface with no drmGetLibVersion @@ -1112,13 +1127,14 @@ int drmClose(int fd) unsigned long key = drmGetKeyFromFd(fd); drmHashEntry *entry = drmGetEntry(fd); - drmHashDestroy(entry->tagTable); - entry->fd = 0; - entry->f = NULL; - entry->tagTable = NULL; - + if (entry) { + drmHashDestroy(entry->tagTable); + entry->fd = 0; + entry->f = NULL; + entry->tagTable = NULL; + drmFree(entry); + } drmHashDelete(drmHashTable, key); - drmFree(entry); return close(fd); } @@ -1194,14 +1210,19 @@ drmBufInfoPtr drmGetBufInfo(int fd) return NULL; } - retval = drmMalloc(sizeof(*retval)); - retval->count = info.count; - retval->list = drmMalloc(info.count * sizeof(*retval->list)); - for (i = 0; i < info.count; i++) { - retval->list[i].count = info.list[i].count; - retval->list[i].size = info.list[i].size; - retval->list[i].low_mark = info.list[i].low_mark; - retval->list[i].high_mark = info.list[i].high_mark; + if ((retval = drmMalloc(sizeof(*retval)))) { + retval->count = info.count; + if ((retval->list = drmMalloc(info.count * sizeof(*retval->list)))) { + for (i = 0; i < info.count; i++) { + retval->list[i].count = info.list[i].count; + retval->list[i].size = info.list[i].size; + retval->list[i].low_mark = info.list[i].low_mark; + retval->list[i].high_mark = info.list[i].high_mark; + } + } else { + drmFree(retval); + retval = NULL; + } } drmFree(info.list); return retval; @@ -1247,14 +1268,19 @@ drmBufMapPtr drmMapBufs(int fd) return NULL; } - retval = drmMalloc(sizeof(*retval)); - retval->count = bufs.count; - retval->list = drmMalloc(bufs.count * sizeof(*retval->list)); - for (i = 0; i < bufs.count; i++) { - retval->list[i].idx = bufs.list[i].idx; - retval->list[i].total = bufs.list[i].total; - retval->list[i].used = 0; - retval->list[i].address = bufs.list[i].address; + if (retval = drmMalloc(sizeof(*retval))) { + retval->count = bufs.count; + if ((retval->list = drmMalloc(bufs.count * sizeof(*retval->list)))) { + for (i = 0; i < bufs.count; i++) { + retval->list[i].idx = bufs.list[i].idx; + retval->list[i].total = bufs.list[i].total; + retval->list[i].used = 0; + retval->list[i].address = bufs.list[i].address; + } + } else { + drmFree(retval); + retval = NULL; + } } drmFree(bufs.list); @@ -2099,10 +2125,11 @@ int drmGetInterruptFromBusID(int fd, int busnum, int devnum, int funcnum) int drmAddContextTag(int fd, drm_context_t context, void *tag) { drmHashEntry *entry = drmGetEntry(fd); - - if (drmHashInsert(entry->tagTable, context, tag)) { - drmHashDelete(entry->tagTable, context); - drmHashInsert(entry->tagTable, context, tag); + if (entry) { + if (drmHashInsert(entry->tagTable, context, tag)) { + drmHashDelete(entry->tagTable, context); + drmHashInsert(entry->tagTable, context, tag); + } } return 0; } @@ -2110,8 +2137,10 @@ int drmAddContextTag(int fd, drm_context_t context, void *tag) int drmDelContextTag(int fd, drm_context_t context) { drmHashEntry *entry = drmGetEntry(fd); - - return drmHashDelete(entry->tagTable, context); + if (entry) + return drmHashDelete(entry->tagTable, context); + else + return 1; /* not found */ } void *drmGetContextTag(int fd, drm_context_t context) @@ -2119,7 +2148,7 @@ void *drmGetContextTag(int fd, drm_context_t context) drmHashEntry *entry = drmGetEntry(fd); void *value; - if (drmHashLookup(entry->tagTable, context, &value)) + if (!entry || (drmHashLookup(entry->tagTable, context, &value))) return NULL; return value;