diff mbox series

fix NULL pointer deference crash

Message ID 20210331163425.8092-1-h.shahbazi.git@gmail.com
State New
Headers show
Series fix NULL pointer deference crash | expand

Commit Message

Hassan Shahbazi March 31, 2021, 4:34 p.m. UTC
The patch has fixed a NULL pointer deference crash in hiding the cursor. It 
is verified by syzbot patch tester.

Reported by: syzbot
https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b

Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
---
 drivers/video/fbdev/core/fbcon.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Greg KH March 31, 2021, 5:32 p.m. UTC | #1
On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> The patch has fixed a NULL pointer deference crash in hiding the cursor. It 
> is verified by syzbot patch tester.
> 
> Reported by: syzbot
> https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> 
> Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> ---
>  drivers/video/fbdev/core/fbcon.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 44a5cd2f54cc..ee252d1c43c6 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
>  
>  	ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
>  
> -	ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> -		    get_color(vc, info, c, 0));
> +	if (ops && ops->cursor)

As ops obviously is not NULL here (you just used it on the line above),
why are you checking it again?

And what makes curser be NULL here?  How can that happen?

Also your subject line can use some work, please make it reflect the
driver subsystem you are looking at.

thanks,

greg k-h
Dan Carpenter March 31, 2021, 8:02 p.m. UTC | #2
Hi Hassan,

url:    https://github.com/0day-ci/linux/commits/Hassan-Shahbazi/fix-NULL-pointer-deference-crash/20210401-004543
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5e46d1b78a03d52306f21f77a4e4a144b6d31486
config: x86_64-randconfig-m001-20210330 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
drivers/video/fbdev/core/fbcon.c:1336 fbcon_cursor() warn: variable dereferenced before check 'ops' (see line 1324)

Old smatch warnings:
drivers/video/fbdev/core/fbcon.c:3028 fbcon_get_con2fb_map_ioctl() warn: potential spectre issue 'con2fb_map' [r]

vim +/ops +1336 drivers/video/fbdev/core/fbcon.c

^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1318  static void fbcon_cursor(struct vc_data *vc, int mode)
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1319  {
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1320  	struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1321  	struct fbcon_ops *ops = info->fbcon_par;
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1322   	int c = scr_readw((u16 *) vc->vc_pos);
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1323  
2a17d7e80f1df44 drivers/video/console/fbcon.c    Scot Doyle         2015-08-04 @1324  	ops->cur_blink_jiffies = msecs_to_jiffies(vc->vc_cur_blink_ms);
2a17d7e80f1df44 drivers/video/console/fbcon.c    Scot Doyle         2015-08-04  1325  
d1e2306681ad3cb drivers/video/console/fbcon.c    Michal Januszewski 2007-05-08  1326  	if (fbcon_is_inactive(vc, info) || vc->vc_deccm != 1)
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1327  		return;
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1328  
c0e4b3ad67997a6 drivers/video/fbdev/core/fbcon.c Jiri Slaby         2020-06-15  1329  	if (vc->vc_cursor_type & CUR_SW)
acba9cd01974353 drivers/video/console/fbcon.c    Antonino A. Daplas 2007-07-17  1330  		fbcon_del_cursor_timer(info);
a5edce421848442 drivers/video/console/fbcon.c    Thierry Reding     2015-05-21  1331  	else
acba9cd01974353 drivers/video/console/fbcon.c    Antonino A. Daplas 2007-07-17  1332  		fbcon_add_cursor_timer(info);
acba9cd01974353 drivers/video/console/fbcon.c    Antonino A. Daplas 2007-07-17  1333  
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1334  	ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
                                                                                        ^^^^^^^^^^^^^^^^^
Dereferenced

^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1335  
1d73453653c6d4f drivers/video/fbdev/core/fbcon.c Hassan Shahbazi    2021-03-31 @1336  	if (ops && ops->cursor)
                                                                                            ^^^
Checked too late

06a0df4d1b8b13b drivers/video/fbdev/core/fbcon.c Linus Torvalds     2020-09-08  1337  		ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1338  				get_color(vc, info, c, 0));
^1da177e4c3f415 drivers/video/console/fbcon.c    Linus Torvalds     2005-04-16  1339  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hassan Shahbazi April 1, 2021, 6:21 a.m. UTC | #3
On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > The patch has fixed a NULL pointer deference crash in hiding the cursor. It 
> > is verified by syzbot patch tester.
> > 
> > Reported by: syzbot
> > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> > 
> > Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> > ---
> >  drivers/video/fbdev/core/fbcon.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index 44a5cd2f54cc..ee252d1c43c6 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> >  
> >  	ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> >  
> > -	ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > -		    get_color(vc, info, c, 0));
> > +	if (ops && ops->cursor)
> 
> As ops obviously is not NULL here (you just used it on the line above),
> why are you checking it again?

Yes, that's right. I will remove that check and will submit a new patch.


> And what makes curser be NULL here?  How can that happen?

Honestly, I don't know. I reproduced the crash on my local, followed the
stack trace, and then changed the line to avoid the crash. If you think this
patch is not the best solution, I can drop it and investigate more to find
the root cause.


> Also your subject line can use some work, please make it reflect the
> driver subsystem you are looking at.
 
This was a mistake, I did not intend to change the subject. I will ensure
the next patch reflects the subsystem.

> thanks,
> 
> greg k-h

Best,
Hassan Shahbazi
Greg KH April 1, 2021, 6:54 a.m. UTC | #4
On Thu, Apr 01, 2021 at 09:21:54AM +0300, Hassan Shahbazi wrote:
> On Wed, Mar 31, 2021 at 07:32:06PM +0200, Greg KH wrote:
> > On Wed, Mar 31, 2021 at 07:34:29PM +0300, Hassan Shahbazi wrote:
> > > The patch has fixed a NULL pointer deference crash in hiding the cursor. It 
> > > is verified by syzbot patch tester.
> > > 
> > > Reported by: syzbot
> > > https://syzkaller.appspot.com/bug?id=defb47bf56e1c14d5687280c7bb91ce7b608b94b
> > > 
> > > Signed-off-by: Hassan Shahbazi <h.shahbazi.git@gmail.com>
> > > ---
> > >  drivers/video/fbdev/core/fbcon.c | 5 +++--
> > >  1 file changed, 3 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > > index 44a5cd2f54cc..ee252d1c43c6 100644
> > > --- a/drivers/video/fbdev/core/fbcon.c
> > > +++ b/drivers/video/fbdev/core/fbcon.c
> > > @@ -1333,8 +1333,9 @@ static void fbcon_cursor(struct vc_data *vc, int mode)
> > >  
> > >  	ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
> > >  
> > > -	ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
> > > -		    get_color(vc, info, c, 0));
> > > +	if (ops && ops->cursor)
> > 
> > As ops obviously is not NULL here (you just used it on the line above),
> > why are you checking it again?
> 
> Yes, that's right. I will remove that check and will submit a new patch.
> 
> 
> > And what makes curser be NULL here?  How can that happen?
> 
> Honestly, I don't know. I reproduced the crash on my local, followed the
> stack trace, and then changed the line to avoid the crash. If you think this
> patch is not the best solution, I can drop it and investigate more to find
> the root cause.

Finding the root cause would be good to do here, so that we can
potentially fix that if it is needed.

thanks,

greg k-h
diff mbox series

Patch

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 44a5cd2f54cc..ee252d1c43c6 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1333,8 +1333,9 @@  static void fbcon_cursor(struct vc_data *vc, int mode)
 
 	ops->cursor_flash = (mode == CM_ERASE) ? 0 : 1;
 
-	ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
-		    get_color(vc, info, c, 0));
+	if (ops && ops->cursor)
+		ops->cursor(vc, info, mode, get_color(vc, info, c, 1),
+				get_color(vc, info, c, 0));
 }
 
 static int scrollback_phys_max = 0;