[Piglit] [PATCH 1/2] Use after free bugs
Jonathan Scott "Tincman" Tinkham
sctincman at gmail.com
Thu Aug 14 17:49:40 PDT 2014
param_value is passed after being free'd in a few cases and can cause seg
faults. The functions are supposed to return in error for other reasons, but
it is possible the usage still occurs.
Signed-off-by: Jonathan Tinkham <sctincman at gmail.com>
----
tests/cl/api/get-command-queue-info.c | 2 ++
tests/cl/api/get-context-info.c | 2 ++
tests/cl/api/get-image-info.c | 2 ++
tests/cl/api/get-kernel-info.c | 4 +++-
tests/cl/api/get-mem-object-info.c | 4 +++-
tests/cl/api/get-platform-ids.c | 2 ++
tests/cl/api/get-program-info.c | 4 +++-
7 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/tests/cl/api/get-command-queue-info.c
b/tests/cl/api/get-command-queue-info.c index 3ea8780..31fde75 100644
--- a/tests/cl/api/get-command-queue-info.c
+++ b/tests/cl/api/get-command-queue-info.c
@@ -125,6 +125,7 @@ piglit_cl_test(const int argc,
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ param_value = malloc(param_value_size);
errNo = clGetCommandQueueInfo(command_queue,
CL_QUEUE_REFERENCE_COUNT,
1,
@@ -136,6 +137,7 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ free(param_value);
/*
* CL_INVALID_COMMAND_QUEUE if command_queue is not a valid command
queue. diff --git a/tests/cl/api/get-context-info.c
b/tests/cl/api/get-context-info.c index fdd1f67..5f815e3 100644
--- a/tests/cl/api/get-context-info.c
+++ b/tests/cl/api/get-context-info.c
@@ -143,6 +143,7 @@ piglit_cl_test(const int argc,
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ param_value = malloc(param_value_size);
errNo = clGetContextInfo(cl_ctx,
CL_CONTEXT_REFERENCE_COUNT,
1,
@@ -154,6 +155,7 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ free(param_value);
/*
* CL_INVALID_CONTEXT if context is not a valid context.
diff --git a/tests/cl/api/get-image-info.c b/tests/cl/api/get-image-info.c
index b315ae9..e03743b 100644
--- a/tests/cl/api/get-image-info.c
+++ b/tests/cl/api/get-image-info.c
@@ -169,6 +169,7 @@ piglit_cl_test(const int argc,
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ param_value = malloc(param_value_size);
errNo = clGetImageInfo(image,
CL_IMAGE_FORMAT,
1,
@@ -180,6 +181,7 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ free(param_value);
/*
* CL_INVALID_MEM_OBJECT if image is a not a valid image object.
diff --git a/tests/cl/api/get-kernel-info.c b/tests/cl/api/get-kernel-info.c
index a6718ca..2641ca3 100644
--- a/tests/cl/api/get-kernel-info.c
+++ b/tests/cl/api/get-kernel-info.c
@@ -134,6 +134,7 @@ piglit_cl_test(const int argc,
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ param_value = malloc(param_value_size);
errNo = clGetKernelInfo(kernel,
CL_KERNEL_FUNCTION_NAME,
1,
@@ -145,7 +146,8 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
-
+ free(param_value);
+
/*
* CL_INVALID_KERNEL if kernel is not a valid kernel object.
*/
diff --git a/tests/cl/api/get-mem-object-info.c
b/tests/cl/api/get-mem-object-info.c index c24b51d..7ace7ac 100644
--- a/tests/cl/api/get-mem-object-info.c
+++ b/tests/cl/api/get-mem-object-info.c
@@ -134,6 +134,7 @@ piglit_cl_test(const int argc,
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ param_value = malloc(param_value_size);
errNo = clGetMemObjectInfo(memobj,
CL_MEM_TYPE,
1,
@@ -145,7 +146,8 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
-
+ free(param_value);
+
/*
* CL_INVALID_MEM_OBJECT if memobj is a not a valid memory object.
*/
diff --git a/tests/cl/api/get-platform-ids.c b/tests/cl/api/get-platform-ids.c
index f94ab0c..c859877 100644
--- a/tests/cl/api/get-platform-ids.c
+++ b/tests/cl/api/get-platform-ids.c
@@ -90,6 +90,7 @@ piglit_cl_test(const int argc,
* to zero and platforms is not NULL, or if both num_platforms
* and platforms are NULL.
*/
+ platforms = malloc(sizeof(cl_platform_id));
errNo = clGetPlatformIDs(0, platforms, NULL);
if(!piglit_cl_check_error(errNo, CL_INVALID_VALUE)) {
fprintf(stderr,
@@ -97,6 +98,7 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ free(platforms);
errNo = clGetPlatformIDs(100, NULL, NULL);
if(!piglit_cl_check_error(errNo, CL_INVALID_VALUE)) {
fprintf(stderr,
diff --git a/tests/cl/api/get-program-info.c b/tests/cl/api/get-program-info.c
index 1c4a307..ba118a2 100644
--- a/tests/cl/api/get-program-info.c
+++ b/tests/cl/api/get-program-info.c
@@ -173,6 +173,7 @@ piglit_cl_test(const int argc,
piglit_merge_result(&result, PIGLIT_FAIL);
}
+ param_value = malloc(param_value_size);
errNo = clGetProgramInfo(env->program,
CL_PROGRAM_REFERENCE_COUNT,
1,
@@ -184,7 +185,8 @@ piglit_cl_test(const int argc,
piglit_cl_get_error_name(errNo));
piglit_merge_result(&result, PIGLIT_FAIL);
}
-
+ free(param_value);
+
/*
* CL_INVALID_PROGRAM if program is not a valid program object.
*/
--
2.0.4
More information about the Piglit
mailing list