ALSA: asihpi - Unsafe memory management when allocating control cache
authorJesper Juhl <jj@chaosbits.net>
Fri, 29 Oct 2010 19:35:25 +0000 (21:35 +0200)
committerTakashi Iwai <tiwai@suse.de>
Tue, 2 Nov 2010 06:38:21 +0000 (07:38 +0100)
I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does
not check the return value from kmalloc(), which may fail.
If kmalloc() fails we'll dereference a null pointer and things will go bad
fast.
There are two memory allocations in that function and there's also the
problem that the first may succeed and the second may fail and nothing is
done about that either which will also go wrong down the line.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Eliot Blennerhassett <linux@audioscience.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
sound/pci/asihpi/hpi6000.c
sound/pci/asihpi/hpi6205.c
sound/pci/asihpi/hpicmn.c

index f7e374ec44144763feb215890c73714b32a17a22..1b9bf9395cfe820f87b34fa14d57d5a667a67217 100644 (file)
@@ -625,6 +625,8 @@ static short create_adapter_obj(struct hpi_adapter_obj *pao,
                        control_cache_size, (struct hpi_control_cache_info *)
                        &phw->control_cache[0]
                        );
+               if (!phw->p_cache)
+                       pao->has_control_cache = 0;
        } else
                pao->has_control_cache = 0;
 
index 22c5fc6255335ac94aca5ac297432f16b0950c4e..2672f6591ceb7246b9a0a24ecbfa8f4cf2c46288 100644 (file)
@@ -644,6 +644,8 @@ static u16 create_adapter_obj(struct hpi_adapter_obj *pao,
                                interface->control_cache.size_in_bytes,
                                (struct hpi_control_cache_info *)
                                p_control_cache_virtual);
+                       if (!phw->p_cache)
+                               err = HPI_ERROR_MEMORY_ALLOC;
                }
                if (!err) {
                        err = hpios_locked_mem_get_phys_addr(&phw->
index dda4f1c6f65847504a71016b1064d0039c65e8a3..d67f4d3db911dd9685d24e08f29d6b6bc23f16f9 100644 (file)
@@ -571,14 +571,20 @@ struct hpi_control_cache *hpi_alloc_control_cache(const u32
 {
        struct hpi_control_cache *p_cache =
                kmalloc(sizeof(*p_cache), GFP_KERNEL);
+       if (!p_cache)
+               return NULL;
+       p_cache->p_info =
+               kmalloc(sizeof(*p_cache->p_info) * number_of_controls,
+                       GFP_KERNEL);
+       if (!p_cache->p_info) {
+               kfree(p_cache);
+               return NULL;
+       }
        p_cache->cache_size_in_bytes = size_in_bytes;
        p_cache->control_count = number_of_controls;
        p_cache->p_cache =
                (struct hpi_control_cache_single *)pDSP_control_buffer;
        p_cache->init = 0;
-       p_cache->p_info =
-               kmalloc(sizeof(*p_cache->p_info) * p_cache->control_count,
-               GFP_KERNEL);
        return p_cache;
 }