• Vegard Nossum's avatar
    net/irda: fix NULL pointer dereference on memory allocation failure · 3787fb66
    Vegard Nossum authored
    commit d3e6952c upstream.
    
    I ran into this:
    
        kasan: CONFIG_KASAN_INLINE enabled
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] PREEMPT SMP KASAN
        CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
        task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
        RIP: 0010:[<ffffffff82bbf066>]  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
        RSP: 0018:ffff880111747bb8  EFLAGS: 00010286
        RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
        RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
        RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
        R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
        FS:  00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
        Stack:
         0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
         ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
         ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
        Call Trace:
         [<ffffffff82bca542>] irda_connect+0x562/0x1190
         [<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
         [<ffffffff825b4489>] SyS_connect+0x9/0x10
         [<ffffffff8100334c>] do_syscall_64+0x19c/0x410
         [<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
        Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
        RIP  [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
         RSP <ffff880111747bb8>
        ---[ end trace 4cda2588bc055b30 ]---
    
    The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
    and then irttp_connect_request() almost immediately dereferences it.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    3787fb66
af_irda.c 67.5 KB