linux/drivers
Jesper Juhl 190644e180 Fix "use after free" / "double free" bug in ati_create_gatt_pages / ati_free_gatt_pages
Hi,

Coverity spotted a "use after free" bug in
drivers/char/agp/ati-agp.c::ati_create_gatt_pages().

The same one that was in
  drivers/char/agp/amd-k7-agp.c::amd_create_gatt_pages()

The problem is this:
       If "entry = kzalloc(sizeof(struct ati_page_map), GFP_KERNEL);"
fails, then there's a loop in the function to free all entries
allocated so far and break out of the allocation loop. That in itself
is pretty sane, but then the (now freed) 'tables' is assigned to
ati_generic_private.gatt_pages and 'retval' is set to -ENOMEM which
causes ati_free_gatt_pages(); to be called at the end of the function.
The problem with this is that ati_free_gatt_pages() will then loop
'ati_generic_private.num_tables' times and try to free each entry in
tables[] - this is bad since tables has already been freed and
furthermore it will call kfree(tables) at the end - a double free.

This patch removes the freeing loop in ati_create_gatt_pages() and
instead relies entirely on the call to ati_free_gatt_pages() to free
everything we allocated in case of an error. It also sets
ati_generic_private.num_tables to the actual number of entries
allocated instead of just using the value passed in from the caller -
this ensures that ati_free_gatt_pages() will only attempt to free
stuff that was actually allocated.

Note: I'm in no way intimate with this code and I have no way to
actually test this patch (besides compile test it), so while I've
tried to be careful in reading the code and make sure the patch
does the right thing an ACK from someone who actually knows the
code in-depth would be very much appreciated.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: Dave Airlie <airlied@linux.ie>
2007-07-27 10:44:32 +10:00
..
acorn [BLOCK] Get rid of request_queue_t typedef 2007-07-24 09:28:11 +02:00
acpi Don't force-enable suspend/hibernate support just for ACPI 2007-07-26 13:44:58 -07:00
amba
ata Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev 2007-07-24 15:58:51 -07:00
atm [ATM]: nicstar needs virt_to_bus 2007-07-18 02:13:42 -07:00
auxdisplay Use menuconfig objects II - auxdisplay 2007-07-16 09:05:40 -07:00
base Fix ThinkPad T42 poweroff failure introduced by by "PM: Introduce pm_power_off_prepare" 2007-07-26 12:13:06 -07:00
block lguest: documentation III: Drivers 2007-07-26 11:35:17 -07:00
bluetooth
cdrom [BLOCK] Get rid of request_queue_t typedef 2007-07-24 09:28:11 +02:00
char Fix "use after free" / "double free" bug in ati_create_gatt_pages / ati_free_gatt_pages 2007-07-27 10:44:32 +10:00
clocksource x86_64: fix typo in acpi_pm.c 2007-07-21 18:37:12 -07:00
connector Use menuconfig objects: connector 2007-07-16 09:05:40 -07:00
cpufreq [CPUFREQ] Restore previously used governor on a hot-replugged CPU 2007-07-13 01:29:51 -04:00
crypto Use menuconfig objects: crypto hw 2007-07-16 09:05:40 -07:00
dio
dma dma-mapping: prevent dma dependent code from linking on !HAS_DMA archs 2007-07-16 09:05:45 -07:00
edac drivers/edac: fix pasemi kconfig depends 2007-07-26 11:35:18 -07:00
eisa
fc4
firewire Merge master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2007-07-22 11:36:49 -07:00
firmware edd: switch to pci_get based API 2007-07-16 09:05:42 -07:00
hid
hwmon Merge branch 'release' of git://lm-sensors.org/kernel/mhoffman/hwmon-2.6 2007-07-19 14:24:57 -07:00
i2c i2c: ds1682 warning fix 2007-07-26 11:35:17 -07:00
ide drivers/ misc __iomem annotations 2007-07-26 11:11:57 -07:00
ieee1394 raw1394 __user annotation 2007-07-26 11:11:57 -07:00
infiniband IB/ehca: Support small QP queues 2007-07-20 21:19:47 -07:00
input ACPI: autoload modules - Create __mod_acpi_device_table symbol for all ACPI drivers 2007-07-23 13:56:42 -04:00
isdn Use menuconfig objects: ISDN/Gigaset 2007-07-21 17:49:17 -07:00
kvm KVM: disable writeback for 0x0f 0x01 instructions. 2007-07-25 14:31:27 +03:00
leds leds: Convert from struct class_device to struct device 2007-07-16 01:15:51 +01:00
lguest lguest: documentation VII: FIXMEs 2007-07-26 11:35:17 -07:00
macintosh [POWERPC] Clean up duplicate includes in drivers/macintosh/ 2007-07-22 21:31:00 +10:00
mca
md [BLOCK] Get rid of request_queue_t typedef 2007-07-24 09:28:11 +02:00
media more VIRT_TO_BUS dependencies 2007-07-26 11:11:56 -07:00
message [BLOCK] Get rid of request_queue_t typedef 2007-07-24 09:28:11 +02:00
mfd some kmalloc/memset ->kzalloc (tree wide) 2007-07-19 10:04:50 -07:00
misc Pull auto-load-modules into release branch 2007-07-25 01:36:53 -04:00
mmc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/drzeus/mmc 2007-07-26 14:00:56 -07:00
mtd sun userflash is PCI-dependent 2007-07-26 11:11:56 -07:00
net m32r: Fix ei_tx_timeout() in drivers/net/lib8390.c 2007-07-26 11:35:20 -07:00
nubus some kmalloc/memset ->kzalloc (tree wide) 2007-07-19 10:04:50 -07:00
of Create drivers/of/platform.c 2007-07-20 14:25:51 +10:00
oprofile [CELL] oprofile: add support to OProfile for profiling CELL BE SPUs 2007-07-20 21:42:24 +02:00
parisc serial: add early_serial_setup() back to header file 2007-07-18 08:38:22 -07:00
parport m68k: exclude more unbuildable drivers 2007-07-20 08:24:49 -07:00
pci Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6 2007-07-25 11:28:00 -07:00
pcmcia [POWERPC] Constify of_platform_driver name 2007-07-22 21:30:59 +10:00
pnp PNP: fix up after Lindent 2007-07-26 11:35:21 -07:00
power Merge git://git.infradead.org/battery-2.6 2007-07-15 16:56:12 -07:00
ps3
rapidio some kmalloc/memset ->kzalloc (tree wide) 2007-07-19 10:04:50 -07:00
rtc Reorder RTC Makefile 2007-07-26 11:35:17 -07:00
s390 Cleanup non-arch xtime uses, use get_seconds() or current_kernel_time(). 2007-07-25 10:09:20 -07:00
sbus Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6 2007-07-24 15:57:43 -07:00
scsi aacraid: fix security hole 2007-07-24 12:33:46 -07:00
serial m68knommu: fix workqueues in 68328 serial driver 2007-07-25 11:05:01 -07:00
sh some kmalloc/memset ->kzalloc (tree wide) 2007-07-19 10:04:50 -07:00
sn some kmalloc/memset ->kzalloc (tree wide) 2007-07-19 10:04:50 -07:00
spi fixup s3c24xx build after arch moves 2007-07-26 11:35:16 -07:00
tc zs: move to the serial subsystem 2007-07-18 08:38:22 -07:00
telephony some kmalloc/memset ->kzalloc (tree wide) 2007-07-19 10:04:50 -07:00
uio UIO: Hilscher CIF card driver 2007-07-18 15:57:16 -07:00
usb Merge branch 'for-linus' of git://git.o-hand.com/linux-rpurdie-backlight 2007-07-22 11:19:46 -07:00
video chipsfb: use correct pm state 2007-07-26 11:35:18 -07:00
w1 drivers/ misc __iomem annotations 2007-07-26 11:11:57 -07:00
xen xenbus_xs.c: fix a use-after-free 2007-07-26 11:35:17 -07:00
zorro
Kconfig Begin to consolidate of_device.c 2007-07-20 13:39:59 +10:00
Makefile Start split out of common open firmware code 2007-07-20 13:28:41 +10:00