VirtualBox

Custom Query (16363 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (1732 - 1734 of 16363)

Ticket Resolution Summary Owner Reporter
#16837 invalid sf_path_from_dentry: null pointer deference on failed kmalloc allocation ColinIanKing
Description

Function sf_path_from_dentry in src/VBox/Additions/linux/sharedfolders/utils.c is allocating a buffer using kmalloc but it does not check if the allocation failed:

        out_bound_len = PATH_MAX;
        out = kmalloc(out_bound_len, GFP_KERNEL);
        name = out;

..and later it is dereferenced leading to a potential NULL pointer dereference crash.

        LogFunc(("result(%d) = %.*s\n", len, len, name));
        *out = 0;

I suggest that the kmalloc failure case needs to be handled correctly.

#16836 fixed sf_unlink_aux: potential null pointer dereference on dentry ColinIanKing
Description

Function sf_unlink_aux() in vboxsf/dirops.c performs a dereference on dentry with the following call:

    err = sf_path_from_dentry(__func__, sf_g, sf_i, dentry, &path);

However, a few statements later dentry is being checked to see if it is a NULL pointer:

    if (   dentry
        && dentry->d_inode
        && ((dentry->d_inode->i_mode & S_IFLNK) == S_IFLNK))
        fFlags |= SHFL_REMOVE_SYMLINK;

Either that null pointer check is redundant or it dentry really could be NULL, in which case the earlier call to sf_path_from_dentry with a null dentry can trip a null pointer deference bug on dentry.

Anyhow, the current code looks suspect and should be fixed.

#16834 invalid VGDrvCommonIoCtl may be potentially dereferencing a null pointer on pcbDataReturned ColinIanKing
Description

Function VGDrvCommonIoCtl in src/VBox/Additions/common/VBoxGuest/VBoxGuest.cpp is checking to see if pcbDataReturned is NULL and then setting it to zero, thus the code assumes there is a potential for the pointer to be NULL. However, later in the function we have:

            case VBOXGUEST_IOCTL_GUEST_CAPS_ACQUIRE:
                CHECKRET_SIZE("GUEST_CAPS_ACQUIRE", sizeof(VBoxGuestCapsAquire));
                rc = vgdrvIoCtl_GuestCapsAcquire(pDevExt, pSession, (VBoxGuestCapsAquire *)pvData);
                *pcbDataReturned = sizeof(VBoxGuestCapsAquire);
                break;

and this dereferencing the pointer that could potentially be zero.

Batch Modify
Note: See TracBatchModify for help on using batch modify.
Note: See TracQuery for help on using queries.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy