[coreboot] NULL pointer dereference in search_bus_device()
stepan at coreboot.org
Fri Jan 14 22:41:42 CET 2011
* Myles Watson <mylesgw at gmail.com> [110110 14:29]:
> On Mon, Jan 10, 2011 at 6:27 AM, Sven Schnelle <svens at stackframe.org> wrote:
> > "Myles Watson" <mylesgw at gmail.com> writes:
> >>> diff --git a/src/devices/device_util.c b/src/devices/device_util.c
> >>> index 9081a36..d761cba 100644
> >>> --- a/src/devices/device_util.c
> >>> +++ b/src/devices/device_util.c
> >>> @@ -583,8 +583,9 @@ void search_bus_resources(struct bus *bus, unsigned
> >>> long type_mask,
> >>> if (subbus->link_num
> >>> ==
> >> IOINDEX_SUBTRACTIVE_LINK(res->index))
> >>> break;
> >>> - search_bus_resources(subbus, type_mask,
> >> type,
> >>> - search, gp);
> >>> + if (subbus)
> >>> + search_bus_resources(subbus,
> >> type_mask,
> >>> type,
> >>> + search, gp);
> >>> continue;
> >>> }
> >>> search(gp, curdev, res);
> >> If subbus is NULL, then accessing subbus->link_num is also a problem.
> > That doesn't happen, because the if (subbus... is in the for loop, which
> > checks for NULL. the search_bus_resources() is always called outside the
> > for loop.
> You're right. I should have looked at the code first, instead of just
> the patch. There wasn't enough context.
> If there is no bus there, maybe the resource shouldn't be subtractive.
> Maybe we should print a message when that happens so that we can fix
> the problem.
What would cause it to be subtractive? We should print an error message
if this occurs, but be should also react sanely. How do we proceed?
More information about the coreboot