netbsd-bugs: port-i386/15394: null pointer reference in emuxki causes a kernel crash

Subject: port-i386/15394: null pointer reference in emuxki causes a kernel crash
To: None <gnats-bugs@gnats.netbsd.org>
From: None <o.vd.linden@quicknet.nl>
List: netbsd-bugs
Date: 01/27/2002 16:52:36

>Number:         15394
>Category:       port-i386
>Synopsis:       null pointer reference in emuxki causes a kernel crash
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 27 08:06:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Onno van der Linden
>Release:        NetBSD 1.5ZA
>Organization:
	
>Environment:
	
	
System: NetBSD sheep 1.5ZA NetBSD 1.5ZA (SHEEP) #1: Sun Jan 27 15:56:25 MET 2002 root@sheep:/usr/src/sys/arch/i386/compile/SHEEP i386
Architecture: i386
Machine: i386
>Description:
	the emuxki driver can be forced to reference a null pointer
        thereby causing a kernel crash. This is caused by not checking
	for null values before calling emuxki_set_vparms around line 1775
	(unlike the call at line 1967).


	Line 1775 says

	if ((error = emuxki_set_vparms((mode == AUMODE_PLAY) ?
				sc->pvoice : sc->rvoice, p)))

	when sc->pvoice or sc->rvoice contains a null pointer, it
	is referenced in the first line of emuxki_set_vparms causing
 	a uvm_fault and the appearance of the ddb prompt.

>How-To-Repeat:
	cat /dev/null | audioplay -f
>Fix:
*** emuxki.c.orig	Sun Jan 27 16:25:50 2002
--- emuxki.c	Sun Jan 27 16:41:07 2002
***************
*** 1767,1770 ****
--- 1767,1771 ----
  	int             mode, error;
  	struct audio_params *p;
+ 	struct emuxki_voice *v;
  
  	for (mode = AUMODE_RECORD; mode != -1;
***************
*** 1773,1781 ****
  			continue;
  
! 		p = (mode == AUMODE_PLAY) ? play : rec;
  
  		/* No multiple voice support for now */
! 		if ((error = emuxki_set_vparms((mode == AUMODE_PLAY) ?
! 						sc->pvoice : sc->rvoice, p)))
  			return (error);
  	}
--- 1774,1791 ----
  			continue;
  
! 		if (mode == AUMODE_PLAY) {
! 			p = play;
! 			v = sc->pvoice;
! 		}
! 		else {
! 			p = rec;
! 			v = sc->rvoice;
! 		}
! 
! 		if (v == NULL);
! 			continue;
  
  		/* No multiple voice support for now */
! 		if ((error = emuxki_set_vparms(v, p)))
  			return (error);
  	}
>Release-Note:
>Audit-Trail:
>Unformatted: