Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sound: avoid potential crash upon naming error #1240

Closed
wants to merge 1 commit into from
Closed

sound: avoid potential crash upon naming error #1240

wants to merge 1 commit into from

Conversation

khorben
Copy link
Contributor

@khorben khorben commented May 16, 2024
edited
Loading

In chn_init(), if dsp_unit2name() fails, the code sets ret to EINVAL and jumps to the out2 label, where the b and bs snd_dbuf variables may be destroyed without having been initialized in the first place.

Reported by: Coverity Scan
CID: 1545029
CID: 1545025
Sponsored by: The FreeBSD Foundation

@khorben
Copy link
Contributor Author

khorben commented May 16, 2024

Cc @christosmarg

@khorben
sound: avoid potential crash upon naming error
371c4c7 
In chn_init(), if dsp_unit2name() fails, the code sets ret to EINVAL and
jumps to the out2 label, where the b and bs snd_dbuf variables may be
destroyed without having been initialized in the first place.

Reported by:	Coverity Scan
CID:		1545029
CID:		1545025
Sponsored by:	The FreeBSD Foundation
bsdimp
bsdimp reviewed May 16, 2024
View reviewed changes
sys/dev/sound/pcm/channel.c
@@ -1236,6 +1236,8 @@ chn_init(struct snddev_info *d, struct pcm_channel *parent, kobj_class_t cls,
}

PCM_UNLOCK(d);
b = NULL;
bs = NULL;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we don't just initialize these to null where they are declared above?

@christosmarg
Copy link
Contributor

LGTM.

@bsdimp We could also do that, I guess it's just cleaner to do it the way Pierre did and have all the declarations in the same place.

@christosmarg
Copy link
Contributor

christosmarg commented May 17, 2024
edited
Loading

Hmmm @khorben it seems that this can also be a problem for this block as well

	CHN_INIT(c, children);
	CHN_INIT(c, children.busy);
	c->devinfo = NULL;
	c->feeder = NULL;
	c->latency = -1;
	c->timeout = 1;

out2 will check if c->devinfo is NULL, but we also initialize it after the call to dsp_unit2name().

If you want I can take care of cleaning the whole initialization in chn_init()

@christosmarg christosmarg self-requested a review May 17, 2024 19:53
freebsd-git pushed a commit that referenced this pull request May 20, 2024
@christosmarg
sound: Prevent uninitialized variable destruction in chn_init()
5d1a5d6 
If dsp_unit2name() fails, we'll get to out2 with b, bs and devinfo
uninitialized, which will result in a panic.

Reported by:	Pierre Pronchery <pierre@freebsdfoundation.org>
Reported by:	Coverity Scan
CID:		1545029, 1545025
Pull-request:	#1240
Sponsored by:	The FreeBSD Foundation
MFC after:	1 day
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D45272
@khorben
Copy link
Contributor Author

khorben commented May 21, 2024

Hmmm @khorben it seems that this can also be a problem for this block as well

	CHN_INIT(c, children);
	CHN_INIT(c, children.busy);
	c->devinfo = NULL;
	c->feeder = NULL;
	c->latency = -1;
	c->timeout = 1;

out2 will check if c->devinfo is NULL, but we also initialize it after the call to dsp_unit2name().

If you want I can take care of cleaning the whole initialization in chn_init()

Unlike b and bs, c->devinfo is initialised to NULL upon allocation, and before any possible jump to out2:

1241         c = malloc(sizeof(*c), M_DEVBUF, M_WAITOK | M_ZERO);
                                                         ^^^^^^

So this looks fine to me.

freebsd-git pushed a commit that referenced this pull request May 21, 2024
@christosmarg
sound: Prevent uninitialized variable destruction in chn_init()
bca6f39 
If dsp_unit2name() fails, we'll get to out2 with b, bs and devinfo
uninitialized, which will result in a panic.

Reported by:	Pierre Pronchery <pierre@freebsdfoundation.org>
Reported by:	Coverity Scan
CID:		1545029, 1545025
Pull-request:	#1240
Sponsored by:	The FreeBSD Foundation
MFC after:	1 day
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D45272

(cherry picked from commit 5d1a5d6)
@christosmarg
Copy link
Contributor

@khorben I fixed this in a follow-up commit: 2db2292

christosmarg added a commit to christosmarg/freebsd that referenced this pull request May 23, 2024
@christosmarg
sound: Prevent uninitialized variable destruction in chn_init()
4c895e4 
If dsp_unit2name() fails, we'll get to out2 with b, bs and devinfo
uninitialized, which will result in a panic.

Reported by:	Pierre Pronchery <pierre@freebsdfoundation.org>
Reported by:	Coverity Scan
CID:		1545029, 1545025
Pull-request:	freebsd/freebsd-src#1240
Sponsored by:	The FreeBSD Foundation
MFC after:	1 day
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bsdimp bsdimp bsdimp left review comments

@christosmarg christosmarg Awaiting requested review from christosmarg

Assignees
No one assigned
Labels
needs-review
Projects
None yet
Milestone
No milestone
3 participants
@khorben @christosmarg @bsdimp