[PATCH] Use after free in drivers/media/video/videodev.c

From: Kronos (kronos_at_kronoz.cjb.net)
Date: 08/30/03

  • Next message: Fernando Alencar Maróstica: "[PATCH] RealTek(R) RTL-8169 PCI Gigabit Ethernet Card" 
    Date:	Sat, 30 Aug 2003 21:55:29 +0200
To: linux-kernel@vger.kernel.org

    Hi,
    I think that there's a bug in videdev.c. Look at
    video_unregister_device:

    void video_unregister_device(struct video_device *vfd) {
            [...]
            class_device_unregister(&vfd->class_dev);
            devfs_remove(vfd->devfs_name);
            video_device[vfd->minor]=NULL;
    }

    The class_device_unregister will call video_release. This function will
    call a ->release callback. As far as I can see drivers do their
    own cleanup outside video_unregister_device so there is no problem.

    However, if a driver switch to dynamically allocated video_device
    this ->release callback will free the struct video_device (look
    at video_device_release) and possibly its container. So after
    class_device_unregister vfd may be a pointer to deallocated memory.

    I think that class_device_unregister should be moved down:

    --- 2.6.0.orig/drivers/media/video/videodev.c Tue Aug 12 17:02:29 2003
    +++ 2.6.0/drivers/media/video/videodev.c Sat Aug 30 21:13:29 2003
    @@ -349,9 +349,9 @@
             if(video_device[vfd->minor]!=vfd)
                     panic("videodev: bad unregister");
     
    - class_device_unregister(&vfd->class_dev);
             devfs_remove(vfd->devfs_name);
             video_device[vfd->minor]=NULL;
    + class_device_unregister(&vfd->class_dev);
             up(&videodev_lock);
     }
     

    Luca 

    -- 
Reply-To: kronos@kronoz.cjb.net
Home: http://kronoz.cjb.net
The trouble with computers is that they do what you tell them,
not what you want.
D. Cohen
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
  • Next message: Fernando Alencar Maróstica: "[PATCH] RealTek(R) RTL-8169 PCI Gigabit Ethernet Card"

    Relevant Pages

    • [patch] fix: dmi_check_system
      ... Bug: The count is incremented after we check for the nonzero return ... first check returns zero--no matches--if the callback returns nonzero. ... Attached patch implements the count before calling the callback and thus ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: timeSetEvent() wraps after inteval of 429496
      ... setting a period of 430000 which generate a callback in 504ms. ... > The actual exports for these time functions are in winmm.dll, and this bug ... > // This code reproduces a bug in timeSetEvent() where if a periodic timing ... > void CALLBACK TimerProc(UINT uID, UINT uMsg, DWORD dwUser, DWORD dw1, ...
      (microsoft.public.win32.programmer.mmedia)
    • Re: dev->release = (void (*)(struct device *))kfree;
      ... will still be unregistered (removed from the various lists) but the ... releasecallback won't be called until the last user. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: timeSetEvent() wraps after inteval of 429496
      ... setting a period of 430000 which generate a callback in 504ms. ... > The actual exports for these time functions are in winmm.dll, and this bug ... You can always use IReferenceClock. ... had a prior exposure to BASIC: as potential programmers they are mentally ...
      (microsoft.public.win32.programmer.mmedia)
    • Re: [PATCH] Force feedback support for uinput
      ... > the physical path of devices created via uinput, ... > to signal when a callback has been entered. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)