[PATCH] firewire: prevent userspace from accessing shut down devices

From: Stefan Richter
Date: Fri May 16 2008 - 14:24:02 EST

Next message: Bjorn Helgaas: "Re: [patch 6/8] PNP: replace pnp_resource_table with dynamically allocated resources"
Previous message: Alan Cox: "Re: [PATCH] drivers/net: remove network drivers' last few uses ofIRQF_SAMPLE_RANDOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I almost forgot that we generally Cc LKML on patches. So here is an -rc
fix candidate for LKML to see:

Date: Fri, 16 May 2008 11:15:23 -0400
From: Jay Fenlason <fenlason@xxxxxxxxxx>

If userspace ignores the POLLERR bit from poll(), and only attempts to
read() the device when POLLIN is set, it can still make ioctl() calls on
a device that has been removed from the system. The node_id and
generation returned by GET_INFO will be outdated, but INITIATE_BUS_RESET
would still cause a bus reset, and GET_CYCLE_TIMER will return data.

We now immediately fail open, ioctl, compat_ioctl, and mmap against
shutdown devices.

Signed-off-by: Jay Fenlason <fenlason@xxxxxxxxxx>
Signed-off-by: Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>
---
drivers/firewire/fw-cdev.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

Index: linux/drivers/firewire/fw-cdev.c
===================================================================
--- linux.orig/drivers/firewire/fw-cdev.c
+++ linux/drivers/firewire/fw-cdev.c
@@ -113,6 +113,11 @@ static int fw_device_op_open(struct inod
if (device == NULL)
return -ENODEV;

+ if (fw_device_is_shutdown(device)) {
+ fw_device_put(device);
+ return -ENODEV;
+ }
+
client = kzalloc(sizeof(*client), GFP_KERNEL);
if (client == NULL) {
fw_device_put(device);
@@ -901,6 +906,9 @@ fw_device_op_ioctl(struct file *file,
{
struct client *client = file->private_data;

+ if (fw_device_is_shutdown(client->device))
+ return -ENODEV;
+
return dispatch_ioctl(client, cmd, (void __user *) arg);
}

@@ -911,6 +919,9 @@ fw_device_op_compat_ioctl(struct file *f
{
struct client *client = file->private_data;

+ if (fw_device_is_shutdown(client->device))
+ return -ENODEV;
+
return dispatch_ioctl(client, cmd, compat_ptr(arg));
}
#endif
@@ -922,6 +933,9 @@ static int fw_device_op_mmap(struct file
unsigned long size;
int page_count, retval;

+ if (fw_device_is_shutdown(client->device))
+ return -ENODEV;
+
/* FIXME: We could support multiple buffers, but we don't. */
if (client->buffer.pages != NULL)
return -EBUSY;

--
Stefan Richter
-=====-==--- -=-= =----
http://arcgraph.de/sr/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bjorn Helgaas: "Re: [patch 6/8] PNP: replace pnp_resource_table with dynamically allocated resources"
Previous message: Alan Cox: "Re: [PATCH] drivers/net: remove network drivers' last few uses ofIRQF_SAMPLE_RANDOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]