Re: [PATCH] HID: hidraw, fix a NULL pointer dereference inhidraw_ioctl

[Jiri Kosina]

On Sat, 2 Oct 2010, Antonio Ospite wrote:

> BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
> IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
> [...]
> 
> This is reproducible by disconnecting the device while userspace does ioctl in
> a loop and doesn't check return values in order to exit the loop, like in the
> following test program:
> 
> int main(int argc, char *argv[])
> {
> 	int fd = -1;
> 	unsigned char name[256];
> 	int ret;
> 
> 	if (argc != 2) {
> 		fprintf(stderr, "usage: %s </dev/hidrawX>\n",
> 				argv[0]);
> 		exit(1);
> 	}
> 
> 	fd = open(argv[1], O_RDWR);
> 	if (fd < 0) {
> 		perror("hidraw open");
> 		exit(1);
> 	}
> 
> 	while (1) {
> 		ret = ioctl(fd, HIDIOCGRAWNAME(256), name);
> 		printf("ret: %d name: %s\n", ret, name);
> 	}
> 
> 	close(fd);
> 	exit(0);
> }

Thanks for cathing this.

> 
> Signed-off-by: Antonio Ospite <ospite@xxxxxxxxxxxxxxxxx>
> ---
> Should this be applied to older stable kernels too?

Yes, I will be adding (or feel free to do so yourself with another respin) 
"Cc: stable@xxxxxxxxxx" line.

> there is a similar problem when _writing_ to the device, but Alan's
> changes in that area are shuffling the code a bit, should I send a patch
> [to hidraw_send_report()] on top of Alan's work for that, or a fix for
> current mainline [in hidraw_write()] on which Alan should rebase his
> work would be better?

Please send me the fix for current mainline for now, i.e. respin with the 
write path covered as well. We are struggling to get feedback on Alan's 
patches from Bluetooth maintainer, so we'd rather have this race fixed in 
any case.

Thanks,

-- 
Jiri Kosina
SUSE Labs, Novell Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/