From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: tiwai@suse.de
Cc: linux1394-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
Chengfeng Ye <cyeaa@connect.ust.hk>,
stable@vger.kernel.org
Subject: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback()
Date: Sat, 9 Apr 2022 13:12:41 +0900 [thread overview]
Message-ID: <20220409041243.603210-2-o-takashi@sakamocchi.jp> (raw)
In-Reply-To: <20220409041243.603210-1-o-takashi@sakamocchi.jp>
From: Chengfeng Ye <cyeaa@connect.ust.hk>
&e->event and e point to the same address, and &e->event could
be freed in queue_event. So there is a potential uaf issue if
we dereference e after calling queue_event(). Fix this by adding
a temporary variable to maintain e->client in advance, this can
avoid the potential uaf issue.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
drivers/firewire/core-cdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9f89c17730b1..708e417200f4 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1500,6 +1500,7 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
{
struct outbound_phy_packet_event *e =
container_of(packet, struct outbound_phy_packet_event, p);
+ struct client *e_client;
switch (status) {
/* expected: */
@@ -1516,9 +1517,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
}
e->phy_packet.data[0] = packet->timestamp;
+ e_client = e->client;
queue_event(e->client, &e->event, &e->phy_packet,
sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0);
- client_put(e->client);
+ client_put(e_client);
}
static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg)
--
2.34.1
WARNING: multiple messages have this Message-ID
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: tiwai@suse.de
Cc: alsa-devel@alsa-project.org,
linux1394-devel@lists.sourceforge.net,
Chengfeng Ye <cyeaa@connect.ust.hk>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback()
Date: Sat, 9 Apr 2022 13:12:41 +0900 [thread overview]
Message-ID: <20220409041243.603210-2-o-takashi@sakamocchi.jp> (raw)
In-Reply-To: <20220409041243.603210-1-o-takashi@sakamocchi.jp>
From: Chengfeng Ye <cyeaa@connect.ust.hk>
&e->event and e point to the same address, and &e->event could
be freed in queue_event. So there is a potential uaf issue if
we dereference e after calling queue_event(). Fix this by adding
a temporary variable to maintain e->client in advance, this can
avoid the potential uaf issue.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
drivers/firewire/core-cdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9f89c17730b1..708e417200f4 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1500,6 +1500,7 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
{
struct outbound_phy_packet_event *e =
container_of(packet, struct outbound_phy_packet_event, p);
+ struct client *e_client;
switch (status) {
/* expected: */
@@ -1516,9 +1517,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
}
e->phy_packet.data[0] = packet->timestamp;
+ e_client = e->client;
queue_event(e->client, &e->event, &e->phy_packet,
sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0);
- client_put(e->client);
+ client_put(e_client);
}
static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg)
--
2.34.1
next prev parent reply other threads:[~2022-04-09 4:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-09 4:12 [PATCH 0/3] firewire: fixes for kernel v4.9 or later Takashi Sakamoto
2022-04-09 4:12 ` Takashi Sakamoto
2022-04-09 4:12 ` Takashi Sakamoto [this message]
2022-04-09 4:12 ` [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback() Takashi Sakamoto
2022-04-09 4:12 ` [PATCH 2/3] firewire: remove check of list iterator against head past the loop body Takashi Sakamoto
2022-04-09 4:12 ` Takashi Sakamoto
2022-04-09 4:12 ` [PATCH 3/3] firewire: core: extend card->lock in fw_core_handle_bus_reset Takashi Sakamoto
2022-04-09 4:12 ` Takashi Sakamoto
2022-04-25 6:05 ` [PATCH 0/3] firewire: fixes for kernel v4.9 or later Takashi Iwai
2022-04-25 6:05 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220409041243.603210-2-o-takashi@sakamocchi.jp \
--to=o-takashi@sakamocchi.jp \
--cc=alsa-devel@alsa-project.org \
--cc=cyeaa@connect.ust.hk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--subject='Re: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback()' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.