char: Fix NULL pointer dereferences

Fix the following NULL pointer dereferences in character drivers. Null pointer 'pra' that comes from line 825 may be passed to function and can be dereferenced there by passing argument 4 to function 'fastrpc_internal_invoke' at line 847. drivers/char/adsprpc.c +847 | fastrpc_device_ioctl() Null pointer 'rpra' that comes from line 672 may be passed to function and can be dereferenced there by passing argument 2 to function 'inv_args' at line 702. drivers/char/adsprpc.c +702 | fastrpc_internal_invoke() Constant NULL may be dereferenced by passing argument 3 to function 'diag_device_write' at line 165. drivers/char/diag/diagfwd_hsic.c +165 | diag_hsic_read_complete_callback() drivers/char/diag/diagfwd.c +585 | diag_device_write() Change-Id: I30469575c30f3846b449b6c71522f7dfc10c5bc5 Signed-off-by: Binoy Jayan <bjayan@codeaurora.org>
2024-11-06 23:17:41 +00:00 · 2016-02-19 09:35:33 +05:30 · 2016-02-19 09:35:33 +05:30 · bc64aa3603
commit bc64aa3603
parent db7da01998
2 changed files with 32 additions and 9 deletions
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012, 2016, The Linux Foundation. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
@ -701,6 +701,11 @@ static int fastrpc_internal_invoke(struct fastrpc_apps *me, uint32_t kernel,
 						&obuf));
 	if (err)
 		goto bail;
+
+	VERIFY(err, NULL != rpra);
+	if (err)
+		goto bail;
+
 	inv_args(sc, rpra, obuf.used);
 	VERIFY(err, 0 == (interrupted =
 			wait_for_completion_interruptible(&ctx->work)));
@ -841,6 +846,10 @@ static long fastrpc_device_ioctl(struct file *file, unsigned int ioctl_num,
 			if (err)
 				goto bail;
 		}
+		VERIFY(err, NULL != pra);
+		if (err)
+			goto bail;
+
 		VERIFY(err, 0 == copy_from_user(pra, invoke.pra, bufs));
 		if (err)
 			goto bail;
--- a/drivers/char/diag/diagfwd.c
+++ b/drivers/char/diag/diagfwd.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2008-2013, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2008-2013, 2016, The Linux Foundation. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
@ -476,15 +476,24 @@ int diag_device_write(void *buf, int data_type, struct diag_request *write_ptr)
 				err = -1;
 		} else if ((data_type >= 0) &&
 				(data_type < NUM_SMD_DATA_CHANNELS)) {
-			write_ptr->buf = buf;
+			if (write_ptr) {
+				write_ptr->buf = buf;
 #ifdef DIAG_DEBUG
-			printk(KERN_INFO "writing data to USB,"
-				"pkt length %d\n", write_ptr->length);
-			print_hex_dump(KERN_DEBUG, "Written Packet Data to"
-					   " USB: ", 16, 1, DUMP_PREFIX_ADDRESS,
-					    buf, write_ptr->length, 1);
+				printk(KERN_INFO
+					"writing data to USB pkt length %d\n",
+					write_ptr->length);
+				print_hex_dump(KERN_DEBUG,
+					"Written Packet Data to"
+					" USB: ", 16, 1, DUMP_PREFIX_ADDRESS,
+					buf, write_ptr->length, 1);
 #endif /* DIAG DEBUG */
-			err = usb_diag_write(driver->legacy_ch, write_ptr);
+				err = usb_diag_write(driver->legacy_ch,
+							write_ptr);
+			} else {
+				pr_err("diag:%d: Failed to write to USB\n",
+					__LINE__);
+				err = -1;
+			}
 		}
 #ifdef CONFIG_DIAG_SDIO_PIPE
 		else if (data_type == SDIO_DATA) {
@ -533,11 +542,16 @@ int diag_device_write(void *buf, int data_type, struct diag_request *write_ptr)
 				err = -1;
 			}
 		} else if (data_type == SMUX_DATA) {
+			if (write_ptr) {
 				write_ptr->buf = buf;
 				write_ptr->context = (void *)SMUX;
 				pr_debug("diag: writing SMUX data\n");
 				err = usb_diag_write(diag_bridge[SMUX].ch,
 								 write_ptr);
+			} else {
+				pr_err("diag:%d: Failed to write to USB\n",
+					__LINE__);
+			}
 		}
 #endif
 		APPEND_DEBUG('d');