[PATCH] drm/fb-helper: Fix drm_fb_helper_hotplug_event() NULL ptr argument
Dan Carpenter
dan.carpenter at oracle.com
Wed May 15 13:55:16 UTC 2019
On Wed, May 15, 2019 at 03:40:14PM +0200, Daniel Vetter wrote:
> On Wed, May 15, 2019 at 03:29:25PM +0200, Noralf Trønnes wrote:
> > drm_fb_helper_hotplug_event() should tolerate the fb_helper argument being
> > NULL. Commit 03a9606e7fee ("drm/fb-helper: Avoid race with DRM userspace")
> > introduced a fb_helper dereference before the NULL check.
> > Fixup by moving the dereference after the NULL check.
> >
> > Fixes: 03a9606e7fee ("drm/fb-helper: Avoid race with DRM userspace")
> > Reported-by: kbuild test robot <lkp at intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
> > Signed-off-by: Noralf Trønnes <noralf at tronnes.org>
>
> Ah the classic "I spotted a deref before your NULL check, I'm going to
> optimize this all away because you got it wrong" nonsense from gcc. I
> thought the kernel uses a special compile flag to avoid this optimization
> ...
This is just a normal NULL dereference bug.
You're thinking of the old tun.c vulnerability. That was back in the
day before we started using -fno-delete-null-pointer-checks. What
happened there was the code should have NULL dereferenced and Oopsed but
GCC optimized it away and it ended up being a privilege escalation bug
instead.
regards,
dan carpenter
More information about the dri-devel
mailing list