possible use-after-free in amdgpu_dm
Felix Kuehling
felix.kuehling at amd.com
Tue Oct 17 17:58:38 UTC 2017
On 2017-10-17 01:25 PM, Tom St Denis wrote:
> On 17/10/17 01:23 PM, Tom St Denis wrote:
>> On 17/10/17 01:18 PM, Christian König wrote:
>>> Am 17.10.2017 um 16:10 schrieb Tom St Denis:
>>>> In this block of code:
>>>>
>>>> void amdgpu_dm_connector_funcs_reset(struct drm_connector *connector)
>>>> {
>>>> struct dm_connector_state *state =
>>>> to_dm_connector_state(connector->state);
>>>>
>>>> kfree(state);
>>>>
>>>> state = kzalloc(sizeof(*state), GFP_KERNEL);
>>>>
>>>>
>>>> The value of state is never compared with NULL and moreso the value
>>>> of connector->state is never written to if NULL. Wouldn't this mean
>>>> the pointer points to freed memory?
>>>
>
> Sorry I think I might be explaining this poorly.
>
> In the case the alloc succeeds the pointer is updated and everything
> is fine.
>
> IF the alloc fails the pointer (connector->state) is not updated and
> the value points to freed memory.
I'm wondering why the function frees, and then reallocates the memory.
Does its size change? If not, why not just memset it to 0?
Regards,
Felix
>
> Tom
> _______________________________________________
> amd-gfx mailing list
> amd-gfx at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
More information about the amd-gfx
mailing list