[1/2] Use after free bugs

Submitted by Jonathan Scott \"Tincman\" Tinkham on Aug. 15, 2014, 12:49 a.m.

Details

Message ID 20140814204940.7aee717b@Argon
State New
Headers show

Not browsing as part of any series.

Commit Message

Jonathan Scott \"Tincman\" Tinkham Aug. 15, 2014, 12:49 a.m.
param_value is passed after being free'd in a few cases and can cause seg
faults. The functions are supposed to return in error for other reasons, but
it is possible the usage still occurs.

Signed-off-by: Jonathan Tinkham <sctincman@gmail.com>
----
 tests/cl/api/get-command-queue-info.c | 2 ++
 tests/cl/api/get-context-info.c       | 2 ++
 tests/cl/api/get-image-info.c         | 2 ++
 tests/cl/api/get-kernel-info.c        | 4 +++-
 tests/cl/api/get-mem-object-info.c    | 4 +++-
 tests/cl/api/get-platform-ids.c       | 2 ++
 tests/cl/api/get-program-info.c       | 4 +++-
 7 files changed, 17 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/tests/cl/api/get-command-queue-info.c
b/tests/cl/api/get-command-queue-info.c index 3ea8780..31fde75 100644
--- a/tests/cl/api/get-command-queue-info.c
+++ b/tests/cl/api/get-command-queue-info.c
@@ -125,6 +125,7 @@  piglit_cl_test(const int argc,
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
 
+	param_value = malloc(param_value_size);
 	errNo = clGetCommandQueueInfo(command_queue,
 	                              CL_QUEUE_REFERENCE_COUNT,
 	                              1,
@@ -136,6 +137,7 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
+	free(param_value);
 	
 	/*
 	 * CL_INVALID_COMMAND_QUEUE if command_queue is not a valid command
queue. diff --git a/tests/cl/api/get-context-info.c
b/tests/cl/api/get-context-info.c index fdd1f67..5f815e3 100644
--- a/tests/cl/api/get-context-info.c
+++ b/tests/cl/api/get-context-info.c
@@ -143,6 +143,7 @@  piglit_cl_test(const int argc,
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
 
+	param_value = malloc(param_value_size);
 	errNo = clGetContextInfo(cl_ctx,
 	                         CL_CONTEXT_REFERENCE_COUNT,
 	                         1,
@@ -154,6 +155,7 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
+	free(param_value);
 	
 	/*
 	 * CL_INVALID_CONTEXT if context is not a valid context.
diff --git a/tests/cl/api/get-image-info.c b/tests/cl/api/get-image-info.c
index b315ae9..e03743b 100644
--- a/tests/cl/api/get-image-info.c
+++ b/tests/cl/api/get-image-info.c
@@ -169,6 +169,7 @@  piglit_cl_test(const int argc,
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
 
+	param_value = malloc(param_value_size);
 	errNo = clGetImageInfo(image,
 	                       CL_IMAGE_FORMAT,
 	                       1,
@@ -180,6 +181,7 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
+	free(param_value);
 	
 	/*
 	 * CL_INVALID_MEM_OBJECT if image is a not a valid image object.
diff --git a/tests/cl/api/get-kernel-info.c b/tests/cl/api/get-kernel-info.c
index a6718ca..2641ca3 100644
--- a/tests/cl/api/get-kernel-info.c
+++ b/tests/cl/api/get-kernel-info.c
@@ -134,6 +134,7 @@  piglit_cl_test(const int argc,
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
 
+	param_value = malloc(param_value_size);
 	errNo = clGetKernelInfo(kernel,
 	                        CL_KERNEL_FUNCTION_NAME,
 	                        1,
@@ -145,7 +146,8 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
-	
+	free(param_value);
+
 	/*
 	 * CL_INVALID_KERNEL if kernel is not a valid kernel object.
 	 */
diff --git a/tests/cl/api/get-mem-object-info.c
b/tests/cl/api/get-mem-object-info.c index c24b51d..7ace7ac 100644
--- a/tests/cl/api/get-mem-object-info.c
+++ b/tests/cl/api/get-mem-object-info.c
@@ -134,6 +134,7 @@  piglit_cl_test(const int argc,
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
 
+	param_value = malloc(param_value_size);
 	errNo = clGetMemObjectInfo(memobj,
 	                           CL_MEM_TYPE,
 	                           1,
@@ -145,7 +146,8 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
-	
+	free(param_value);
+
 	/*
 	 * CL_INVALID_MEM_OBJECT if memobj is a not a valid memory object.
 	 */
diff --git a/tests/cl/api/get-platform-ids.c b/tests/cl/api/get-platform-ids.c
index f94ab0c..c859877 100644
--- a/tests/cl/api/get-platform-ids.c
+++ b/tests/cl/api/get-platform-ids.c
@@ -90,6 +90,7 @@  piglit_cl_test(const int argc,
 	 * to zero and platforms is not NULL, or if both num_platforms 
 	 * and platforms are NULL.
 	 */
+	platforms = malloc(sizeof(cl_platform_id));
 	errNo = clGetPlatformIDs(0, platforms, NULL);
 	if(!piglit_cl_check_error(errNo, CL_INVALID_VALUE)) {
 		fprintf(stderr,
@@ -97,6 +98,7 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
+	free(platforms);
 	errNo = clGetPlatformIDs(100, NULL, NULL);
 	if(!piglit_cl_check_error(errNo, CL_INVALID_VALUE)) {
 		fprintf(stderr,
diff --git a/tests/cl/api/get-program-info.c b/tests/cl/api/get-program-info.c
index 1c4a307..ba118a2 100644
--- a/tests/cl/api/get-program-info.c
+++ b/tests/cl/api/get-program-info.c
@@ -173,6 +173,7 @@  piglit_cl_test(const int argc,
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
 
+	param_value = malloc(param_value_size);
 	errNo = clGetProgramInfo(env->program,
 	                         CL_PROGRAM_REFERENCE_COUNT,
 	                         1,
@@ -184,7 +185,8 @@  piglit_cl_test(const int argc,
 		        piglit_cl_get_error_name(errNo));
 		piglit_merge_result(&result, PIGLIT_FAIL);
 	}
-	
+	free(param_value);
+
 	/*
 	 * CL_INVALID_PROGRAM if program is not a valid program object.
 	 */

Comments

native_* functions have "implementation-defined" tolerance, and thus testing
native_pow with any sort of tolerance isn't exactly testing conformance.
Switching this to test powr makes more sense to me.

Signed-off-by: Jonathan Tinkham <sctincman@gmail.com>
---
 tests/cl/program/execute/gegl-gamma-2-2-to-linear.cl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/cl/program/execute/gegl-gamma-2-2-to-linear.cl
b/tests/cl/program/execute/gegl-gamma-2-2-to-linear.cl index 9cd449e..e6cfd16
100644 --- a/tests/cl/program/execute/gegl-gamma-2-2-to-linear.cl
+++ b/tests/cl/program/execute/gegl-gamma-2-2-to-linear.cl
@@ -48,7 +48,7 @@ arg_out: 0 buffer float[1] 0.214041 tolerance 0.00001
 kernel void gamma_2_2_to_linear (global float *out, float value)
 {
   if (value > 0.03928f)
-    out[0] =  native_powr ((value + 0.055f) / 1.055f, 2.4f);
+    out[0] =  powr ((value + 0.055f) / 1.055f, 2.4f);
   else
     out[0] = value / 12.92f;
 }