[PATCH] USB: Fix NULLPTR dereference when serial# is unset
Michael
michaelsunn101 at gmail.com
Tue Jan 28 00:12:10 CET 2025
The problem can be reproduced with U-Boot's sandbox with the default config.
Then, run the following commands at the shell:
Hit any key to stop autoboot: 0
=> env set serial# test
=> env default -f serial#
at which point the program will crash.
The following change will show that the env default -f command causes
the null pointer dereference
void g_dnl_set_serialnumber(char *s)
{
memset(g_dnl_serial, 0, MAX_STRING_SERIAL);
+ printf("Reading serial from address %p\n", s);
strncpy(g_dnl_serial, s, MAX_STRING_SERIAL - 1);
}
On Mon, Jan 27, 2025 at 3:58 PM Marek Vasut <marex at denx.de> wrote:
>
> On 1/27/25 10:07 PM, Michael Ferolito wrote:
> > The current behaviour of this function will dereference a null pointer
> > if the serial# environment variable is unset. This was discovered on a
> > board where U-Boot did not have access to the first 256MB of ram,
> > resulting in a board crash.
> > In the event that U-Boot has full access to memory, it will still read
> > from address 0, which is probably not optimal.
> > This simple check is enough to fix it.
> How does one trigger this problem ?
More information about the U-Boot
mailing list