diff options
| author | Julia Lawall <julia@diku.dk> | 2010-05-15 05:45:53 -0400 |
|---|---|---|
| committer | Rusty Russell <rusty@rustcorp.com.au> | 2010-05-19 08:45:51 -0400 |
| commit | 0643e4c6e4fd67778fa886a89e6ec2320e0ff4d3 (patch) | |
| tree | b56c3f7112a36694c133417c68c3f9283a42f713 /drivers/char | |
| parent | 8345adbf96fc1bde7d9846aadbe5af9b2ae90882 (diff) | |
drivers/char: Eliminate use after free
In each case, the first argument to send_control_msg or __send_control_msg,
respectively, has either not been successfully allocated or has been freed
at the point of the call. In the first case, the first argument, port, is
only used to access the portdev and id fields, in order to call
__send_control_msg. Thus it seems possible instead to call
__send_control_msg directly. In the second case, the call to
__send_control_msg is moved up to a place where it seems like the first
argument, portdev, has been initialized sufficiently to make the call to
__send_control_msg meaningful.
This has only been compile tested.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@free@
expression E;
position p;
@@
kfree@p(E)
@@
expression free.E, subE<=free.E, E1;
position free.p;
@@
kfree@p(E)
...
(
subE = E1
|
* E
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'drivers/char')
| -rw-r--r-- | drivers/char/virtio_console.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 458d907e3621..8c99bf1b5e9f 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c | |||
| @@ -1090,7 +1090,7 @@ free_port: | |||
| 1090 | kfree(port); | 1090 | kfree(port); |
| 1091 | fail: | 1091 | fail: |
| 1092 | /* The host might want to notify management sw about port add failure */ | 1092 | /* The host might want to notify management sw about port add failure */ |
| 1093 | send_control_msg(port, VIRTIO_CONSOLE_PORT_READY, 0); | 1093 | __send_control_msg(portdev, id, VIRTIO_CONSOLE_PORT_READY, 0); |
| 1094 | return err; | 1094 | return err; |
| 1095 | } | 1095 | } |
| 1096 | 1096 | ||
| @@ -1559,6 +1559,9 @@ static int __devinit virtcons_probe(struct virtio_device *vdev) | |||
| 1559 | return 0; | 1559 | return 0; |
| 1560 | 1560 | ||
| 1561 | free_vqs: | 1561 | free_vqs: |
| 1562 | /* The host might want to notify mgmt sw about device add failure */ | ||
| 1563 | __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, | ||
| 1564 | VIRTIO_CONSOLE_DEVICE_READY, 0); | ||
| 1562 | vdev->config->del_vqs(vdev); | 1565 | vdev->config->del_vqs(vdev); |
| 1563 | kfree(portdev->in_vqs); | 1566 | kfree(portdev->in_vqs); |
| 1564 | kfree(portdev->out_vqs); | 1567 | kfree(portdev->out_vqs); |
| @@ -1567,9 +1570,6 @@ free_chrdev: | |||
| 1567 | free: | 1570 | free: |
| 1568 | kfree(portdev); | 1571 | kfree(portdev); |
| 1569 | fail: | 1572 | fail: |
| 1570 | /* The host might want to notify mgmt sw about device add failure */ | ||
| 1571 | __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, | ||
| 1572 | VIRTIO_CONSOLE_DEVICE_READY, 0); | ||
| 1573 | return err; | 1573 | return err; |
| 1574 | } | 1574 | } |
| 1575 | 1575 | ||