[Letux-kernel] New LetuxOS Kernels - strcmp(NULL)

H. Nikolaus Schaller hns at goldelico.com
Sat Jun 23 18:47:37 CEST 2018


Hi,

> Am 23.06.2018 um 18:39 schrieb N. Jackson <nljlistbox2 at gmail.com>:
> 
>> At 17:21 +0200 on Saturday 2018-06-23, H. Nikolaus Schaller wrote:
>> 
>>> Am 23.06.2018 um 12:13 schrieb H. Nikolaus Schaller <hns at goldelico.com>:
>>> 
>>> [    7.657104]   gname[15] = pinmux_penirq_pins
>>> [    7.671142]   gname[16] = pinmux_camera_pins
>>> [    7.675598]   gname[17] = hdq_pins
>>> [    7.688140] pinctrl_generic_get_group_name: group>name is NULL
>>> [    7.694244]   gname[18] = (null)
>> 
>> ^^^ this is interesting!
>> 
>> The printk code behind pinctrl_generic_get_group_name is:
>> 
>> const char *pinctrl_generic_get_group_name(struct pinctrl_dev *pctldev,
>> 					   unsigned int selector)
>> {
>> 	struct group_desc *group;
>> 
>> 	group = radix_tree_lookup(&pctldev->pin_group_tree,
>> 				  selector);
>> 	if (!group) {
>> 		printk("%s: selector %d not found\n", __func__, selector);
>> 	}
>> 	if (!group)
>> 		return NULL;
>> 
>> 	if (!group->name) {
>> 		printk("%s: group>name is NULL\n", __func__);
>> 	}
>> 	return group->name;
>> }
>> 
>> Which means that the struct group_desc exists but the
>> group->name is NULL. So there is no NULL magically added
>> to the radix tree, but the group->name pointer becomes
>> NULL. Which means that the memory region was overwritten.
> 
> Can you rule out the possibility that the group->name was
> not set to NULL when the group was created in
> pinctrl_generic_add_group?

Yes. There is a test for it - and the patch set from Tony tries to locate the
name in the radix tree before allocating a new one and that would also segfault
for a NULL name.

What I am currently thinking is that there is some index-out-of-bounds access
involved. Not necessarily related to the pinmux framework but I can't decide that
yet.

BR and thanks,
Nikolaus



More information about the Letux-kernel mailing list