All of lore.kernel.org
 help / color / mirror / Atom feed
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: tiwai@suse.de
Cc: linux1394-devel@lists.sourceforge.net,
	linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
	Chengfeng Ye <cyeaa@connect.ust.hk>,
	stable@vger.kernel.org
Subject: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback()
Date: Sat,  9 Apr 2022 13:12:41 +0900	[thread overview]
Message-ID: <20220409041243.603210-2-o-takashi@sakamocchi.jp> (raw)
In-Reply-To: <20220409041243.603210-1-o-takashi@sakamocchi.jp>

From: Chengfeng Ye <cyeaa@connect.ust.hk>

&e->event and e point to the same address, and &e->event could
be freed in queue_event. So there is a potential uaf issue if
we dereference e after calling queue_event(). Fix this by adding
a temporary variable to maintain e->client in advance, this can
avoid the potential uaf issue.

Cc: <stable@vger.kernel.org>
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
 drivers/firewire/core-cdev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9f89c17730b1..708e417200f4 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1500,6 +1500,7 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
 {
 	struct outbound_phy_packet_event *e =
 		container_of(packet, struct outbound_phy_packet_event, p);
+	struct client *e_client;
 
 	switch (status) {
 	/* expected: */
@@ -1516,9 +1517,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
 	}
 	e->phy_packet.data[0] = packet->timestamp;
 
+	e_client = e->client;
 	queue_event(e->client, &e->event, &e->phy_packet,
 		    sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0);
-	client_put(e->client);
+	client_put(e_client);
 }
 
 static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg)
-- 
2.34.1


WARNING: multiple messages have this Message-ID
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: tiwai@suse.de
Cc: alsa-devel@alsa-project.org,
	linux1394-devel@lists.sourceforge.net,
	Chengfeng Ye <cyeaa@connect.ust.hk>,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback()
Date: Sat,  9 Apr 2022 13:12:41 +0900	[thread overview]
Message-ID: <20220409041243.603210-2-o-takashi@sakamocchi.jp> (raw)
In-Reply-To: <20220409041243.603210-1-o-takashi@sakamocchi.jp>

From: Chengfeng Ye <cyeaa@connect.ust.hk>

&e->event and e point to the same address, and &e->event could
be freed in queue_event. So there is a potential uaf issue if
we dereference e after calling queue_event(). Fix this by adding
a temporary variable to maintain e->client in advance, this can
avoid the potential uaf issue.

Cc: <stable@vger.kernel.org>
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
 drivers/firewire/core-cdev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9f89c17730b1..708e417200f4 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1500,6 +1500,7 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
 {
 	struct outbound_phy_packet_event *e =
 		container_of(packet, struct outbound_phy_packet_event, p);
+	struct client *e_client;
 
 	switch (status) {
 	/* expected: */
@@ -1516,9 +1517,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet,
 	}
 	e->phy_packet.data[0] = packet->timestamp;
 
+	e_client = e->client;
 	queue_event(e->client, &e->event, &e->phy_packet,
 		    sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0);
-	client_put(e->client);
+	client_put(e_client);
 }
 
 static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg)
-- 
2.34.1


  reply	other threads:[~2022-04-09  4:13 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-09  4:12 [PATCH 0/3] firewire: fixes for kernel v4.9 or later Takashi Sakamoto
2022-04-09  4:12 ` Takashi Sakamoto
2022-04-09  4:12 ` Takashi Sakamoto [this message]
2022-04-09  4:12   ` [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback() Takashi Sakamoto
2022-04-09  4:12 ` [PATCH 2/3] firewire: remove check of list iterator against head past the loop body Takashi Sakamoto
2022-04-09  4:12   ` Takashi Sakamoto
2022-04-09  4:12 ` [PATCH 3/3] firewire: core: extend card->lock in fw_core_handle_bus_reset Takashi Sakamoto
2022-04-09  4:12   ` Takashi Sakamoto
2022-04-25  6:05 ` [PATCH 0/3] firewire: fixes for kernel v4.9 or later Takashi Iwai
2022-04-25  6:05   ` Takashi Iwai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220409041243.603210-2-o-takashi@sakamocchi.jp \
    --to=o-takashi@sakamocchi.jp \
    --cc=alsa-devel@alsa-project.org \
    --cc=cyeaa@connect.ust.hk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux1394-devel@lists.sourceforge.net \
    --cc=stable@vger.kernel.org \
    --cc=tiwai@suse.de \
    --subject='Re: [PATCH 1/3] firewire: fix potential uaf in outbound_phy_packet_callback()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.