On Mon, Jan 10, 2022 at 01:12:10PM +0100, Tobias Heider wrote:
> sdmmc_mem_send_scr() tries to malloc() with M_NOWAIT and returns 0 on
> error, which leads to sdmmc_mem_sd_init() passing uninitialized stack
> memory to sdmmc_mem_decode_scr().
> The diff below makes sdmmc_mem_send_scr() return ENOMEM if malloc fails.
>
> ok?
Nice catch. ok stsp@
> diff --git a/sys/dev/sdmmc/sdmmc_mem.c b/sys/dev/sdmmc/sdmmc_mem.c
> index fae8d63912d..715c412e6ea 100644
> --- a/sys/dev/sdmmc/sdmmc_mem.c
> +++ b/sys/dev/sdmmc/sdmmc_mem.c
> @@ -465,8 +465,10 @@ sdmmc_mem_send_scr(struct sdmmc_softc *sc, uint32_t *scr)
> int error = 0;
>
> ptr = malloc(datalen, M_DEVBUF, M_NOWAIT | M_ZERO);
> - if (ptr == NULL)
> + if (ptr == NULL) {
> + error = ENOMEM;
> goto out;
> + }
>
> memset(&cmd, 0, sizeof(cmd));
> cmd.c_data = ptr;
>
>
