From patchwork Tue Aug 6 23:15:29 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bates X-Patchwork-Id: 2839715 Return-Path: X-Original-To: patchwork-linux-fbdev@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id D9080BF535 for ; Tue, 6 Aug 2013 23:15:38 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 065AC2024F for ; Tue, 6 Aug 2013 23:15:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1A41A2024A for ; Tue, 6 Aug 2013 23:15:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756032Ab3HFXPg (ORCPT ); Tue, 6 Aug 2013 19:15:36 -0400 Received: from mail-bk0-f52.google.com ([209.85.214.52]:35865 "EHLO mail-bk0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755342Ab3HFXPf (ORCPT ); Tue, 6 Aug 2013 19:15:35 -0400 Received: by mail-bk0-f52.google.com with SMTP id e11so336111bkh.39 for ; Tue, 06 Aug 2013 16:15:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=2z/JcUS0kx+Dpmh97ZNVbot8eNniLUk7Zz7mLD0cLS4=; b=Vg1i6q5HWfWbVbPjerXjuAKaToxm+vw9ZI8x6kg8YUpEGf47xTiReQS60RoMYruzCF x5DbZGbGbnpuNN67c4C3QNkDaV+IZ/HogtEKpIGGG8OrdM1sO4Xi16oW1TkCSKFzm8ef cSw45qb/d7fg7y3hPNtFgzwiEkNExdktSlpAEvjFgDh0q9A1iR6TCicRbseSBUfVhHcU KQX6LuvVjk67YJgFGUcuQhbFwLppjxMra3gPzPQaedJ7URteVoC31BORYxP2n5ECRcFs HbEvQumkWWYloneQmLtHGEn3qWgrMR/BrQusNToAtUUKGON7zyiewSnQ8H0VOhmsvWdW Y1ww== X-Received: by 10.205.12.195 with SMTP id pj3mr28180bkb.166.1375830933942; Tue, 06 Aug 2013 16:15:33 -0700 (PDT) Received: from [192.168.1.11] (p57BD6F09.dip0.t-ipconnect.de. [87.189.111.9]) by mx.google.com with ESMTPSA id px7sm1204593bkb.9.2013.08.06.16.15.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 16:15:32 -0700 (PDT) From: James Bates Subject: [PATCH] efifb: prevent null dereferences by removing unused array indices from dmi_list Message-Id: Date: Wed, 7 Aug 2013 01:15:29 +0200 To: Peter Jones , Jean-Christophe Plagniol-Villard , Tomi Valkeinen , linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) X-Mailer: Apple Mail (2.1503) Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, T_TVD_MIME_EPI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Hi all, The dmi_list array is initialized using gnu designated initializers, and therefore contains fewer explicitly defined entries as there are elements in it. This is because the enum above with M_blabla constants contains more items than the designated initializer. Those elements not explicitly initialized are implicitly set to 0. Now efifb_setup(), L.322 & L.323, loops through all these array elements, and performs a strcmp o a field (optname) in each item. For non explicitly initialized elements this will be a null pointer: for (i = 0; i < M_UNKNOWN; i++) { if (!strcmp(this_opt, dmi_list[i].optname) && On my macbook6,1 the predefined values are for some reason incorrect, and most parameters are preset correctly by my efi bootloader (elilo). but stride/line_length is not detected correctly and so I wish to set it explicitly using a "video=efifb:stride:2048" command-line argument. Because of the above null dereference, an exception (presumably) occurs before the parsing code (L.333) is ever reached. I say presumably since the mac hangs on boot without a console, and I can therefore not see any output. By removing the unused values from the enum, and thus preventing implicitly initialized items in the dmi_list array, the null dereference does not occur, my customer command-line arg is parsed correctly, and my console displays correctly. Signed-off-by: James Bates Reviewed-by: David Herrmann Reviewed-by: David Herrmann --- drivers/video/efifb.c | 3 --- 1 file changed, 3 deletions(-) -- 1.7.12.4 (Apple Git-37) diff --git a/drivers/video/efifb.c b/drivers/video/efifb.c index 50fe668..52d1d88 100644 --- a/drivers/video/efifb.c +++ b/drivers/video/efifb.c @@ -50,12 +50,9 @@ enum { M_MINI_3_1, /* Mac Mini, 3,1th gen */ M_MINI_4_1, /* Mac Mini, 4,1th gen */ M_MB, /* MacBook */ - M_MB_2, /* MacBook, 2nd rev. */ - M_MB_3, /* MacBook, 3rd rev. */ M_MB_5_1, /* MacBook, 5th rev. */ M_MB_6_1, /* MacBook, 6th rev. */ M_MB_7_1, /* MacBook, 7th rev. */ - M_MB_SR, /* MacBook, 2nd gen, (Santa Rosa) */ M_MBA, /* MacBook Air */ M_MBA_3, /* Macbook Air, 3rd rev */ M_MBP, /* MacBook Pro */