[PATCH] Use after free in drivers/media/video/videodev.c
From: Kronos (kronos_at_kronoz.cjb.net)
Date: 08/30/03
- Previous message: Marcelo Tosatti: "Re: Linux 2.4.23-pre2"
- Next in thread: Andrew Morton: "Re: [PATCH] Use after free in drivers/media/video/videodev.c"
- Reply: Andrew Morton: "Re: [PATCH] Use after free in drivers/media/video/videodev.c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 30 Aug 2003 21:55:29 +0200 To: linux-kernel@vger.kernel.org
Hi,
I think that there's a bug in videdev.c. Look at
video_unregister_device:
void video_unregister_device(struct video_device *vfd) {
[...]
class_device_unregister(&vfd->class_dev);
devfs_remove(vfd->devfs_name);
video_device[vfd->minor]=NULL;
}
The class_device_unregister will call video_release. This function will
call a ->release callback. As far as I can see drivers do their
own cleanup outside video_unregister_device so there is no problem.
However, if a driver switch to dynamically allocated video_device
this ->release callback will free the struct video_device (look
at video_device_release) and possibly its container. So after
class_device_unregister vfd may be a pointer to deallocated memory.
I think that class_device_unregister should be moved down:
--- 2.6.0.orig/drivers/media/video/videodev.c Tue Aug 12 17:02:29 2003
+++ 2.6.0/drivers/media/video/videodev.c Sat Aug 30 21:13:29 2003
@@ -349,9 +349,9 @@
if(video_device[vfd->minor]!=vfd)
panic("videodev: bad unregister");
- class_device_unregister(&vfd->class_dev);
devfs_remove(vfd->devfs_name);
video_device[vfd->minor]=NULL;
+ class_device_unregister(&vfd->class_dev);
up(&videodev_lock);
}
Luca
-- Reply-To: kronos@kronoz.cjb.net Home: http://kronoz.cjb.net The trouble with computers is that they do what you tell them, not what you want. D. Cohen - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
- Previous message: Marcelo Tosatti: "Re: Linux 2.4.23-pre2"
- Next in thread: Andrew Morton: "Re: [PATCH] Use after free in drivers/media/video/videodev.c"
- Reply: Andrew Morton: "Re: [PATCH] Use after free in drivers/media/video/videodev.c"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
- [patch] fix: dmi_check_system
... Bug: The count is incremented after we check for the nonzero return ... first
check returns zero--no matches--if the callback returns nonzero. ... Attached patch implements
the count before calling the callback and thus ... send the line "unsubscribe linux-kernel"
in ... (Linux-Kernel) - Re: dev->release = (void (*)(struct device *))kfree;
... will still be unregistered (removed from the various lists) but the ... releasecallback
won't be called until the last user. ... send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel) - Re: timeSetEvent() wraps after inteval of 429496
... setting a period of 430000 which generate a callback in 504ms. ... > The
actual exports for these time functions are in winmm.dll, and this bug ... > // This
code reproduces a bug in timeSetEvent() where if a periodic timing ... > void CALLBACK
TimerProc(UINT uID, UINT uMsg, DWORD dwUser, DWORD dw1, ... (microsoft.public.win32.programmer.mmedia) - Re: [PATCH] Force feedback support for uinput
... > the physical path of devices created via uinput, ... > to signal when
a callback has been entered. ... send the line "unsubscribe linux-kernel" in ...
(Linux-Kernel) - Re: timeSetEvent() wraps after inteval of 429496
... setting a period of 430000 which generate a callback in 504ms. ... > The
actual exports for these time functions are in winmm.dll, and this bug ... You can always
use IReferenceClock. ... had a prior exposure to BASIC: as potential programmers
they are mentally ... (microsoft.public.win32.programmer.mmedia)
