[Bug 282237] bhyve: usb_mouse.c segfaults due to incomplete NULL checking
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Oct 2024 04:30:15 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282237
Bug ID: 282237
Summary: bhyve: usb_mouse.c segfaults due to incomplete NULL
checking
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bhyve
Assignee: virtualization@FreeBSD.org
Reporter: jackdbendtsen@gmail.com
Some of the cases inside umouse_request() (usr.sbin/bhyve/usb_mouse.c) use the
data component of an event, while only partially checking if it's NULL.
For example:
```
case UREQ(UR_GET_STATUS, UT_READ_INTERFACE):
case UREQ(UR_GET_STATUS, UT_READ_ENDPOINT):
DPRINTF(("umouse: (UR_GET_STATUS, UT_READ_INTERFACE)"));
if (data != NULL && len > 1) {
USETW(udata, 0);
data->blen = len - 2;
data->bdone += 2;
}
eshort = data->blen > 0;
break;
```
As you can see, 'data' has a NULL check, but then 'data' is immediately
deferenced anyway after the check regardless of if it's NULL or not.
There are actually four occurrences of this same bug, each in a different case
in this switch block.
Here's a patch that can be applied to CURRENT that fixes the issue:
```
533c533
< eshort = data->blen > 0;
---
> eshort = data != NULL && data->blen > 0;
544c544
< eshort = data->blen > 0;
---
> eshort = data != NULL && data->blen > 0;
629c629
< eshort = data->blen > 0;
---
> eshort = data != NULL && data->blen > 0;
638c638
< eshort = data->blen > 0;
---
> eshort = data != NULL && data->blen > 0;
```
Cheers,
Jack Bendtsen
--
You are receiving this mail because:
You are the assignee for the bug.