superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

media: mc: fix potential use-after-free in media_request_alloc() 

Commit 6f504cbf10 ("media: convert media_request_alloc() to
FD_PREPARE()") moved the call to fd_install() (now hidden in
fd_publish()) before the snprintf(), making the later write to
potentially already freed memory, as userland is free to call
close() concurrently right after the call to fd_install() which
may end up in the request_fops.release() handler freeing 'req'.

Fixes: 6f504cbf10 ("media: convert media_request_alloc() to FD_PREPARE()")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://patch.msgid.link/20251209210903.603958-1-minipli@grsecurity.net
Signed-off-by: Christian Brauner <brauner@kernel.org>
pull/1258/merge
Mathias Krause 2025-12-09 22:09:03 +01:00 committed by Christian Brauner
parent 8f0b4cce44
commit a260bd22a3
No known key found for this signature in database
GPG Key ID: 91C61BC06578DCA2
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/media/mc/mc-request.c
View File

@ -315,12 +315,12 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
fd_prepare_file(fdf)->private_data = req;
*alloc_fd = fd_publish(fdf);
snprintf(req->debug_str, sizeof(req->debug_str), "%u:%d",
atomic_inc_return(&mdev->request_id), *alloc_fd);
atomic_inc_return(&mdev->request_id), fd_prepare_fd(fdf));
dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str);
*alloc_fd = fd_publish(fdf);
return 0;
err_free_req: