Re: Sound driver security hole?

Linus Torvalds (torvalds@transmeta.com)
Fri, 30 Jan 1998 10:41:41 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Arthur Jerijian: "Linux maintenance project: is it dead?"
Previous message: Bill Hawes: "Re: [RFC] preliminary patch for files struct"

On Fri, 30 Jan 1998, Thomas Sailer wrote:
>
> Now let's look at sound. Consider a system where
> sound.o is demand loaded by kerneld. A malicious app
> does something like the following:
>
> fd = open("/dev/dsp"...);
> some ioctls to set various parameters
> mmap(..., MAP_SHARED, fd, ...);
> close(fd);
>
> At this point, the app has mapped the DMA buffer
> into its address space. The physical storage behind
> the mapping was allocated by the sound driver with
> get_free_pages, and it keeps this allocation around.
> But since the fd is closed again, the use count
> of the sound module is 0 and nothing prevents
> the module from being removed.

The sound driver still knows that it is in use because the kernel has not
done an "inode->i_op->put_inode" on the inode in question. If the sound
module has decremented the module count to zero even though there are
inodes in use, then it's a sound module bug (and not strictly related to
mmap at all, although I think mmap() is the only way to keep a reference
to the inode/dentry while dropping the file reference).

Linus

Next message: Arthur Jerijian: "Linux maintenance project: is it dead?"
Previous message: Bill Hawes: "Re: [RFC] preliminary patch for files struct"