firewire: core: fix use-after-free regression in FCP handler

Commit db5d247a "firewire: fix use of multiple AV/C devices, allow multiple FCP listeners" introduced a regression into 2.6.33-rc3: The core freed payloads of incoming requests to FCP_Request or FCP_Response before a userspace driver accessed them. We need to copy such payloads for each registered userspace client and free the copies according to the lifetime rules of non-FCP client request resources. (This could possibly be optimized by reference counts instead of copies.) The presently only kernelspace driver which listens for FCP requests, firedtv, was not affected because it already copies FCP frames into an own buffer before returning to firewire-core's FCP handler dispatcher. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
author: Stefan Richter <stefanr@s5r6.in-berlin.de> 2010-01-24 10:45:03 -0500
committer: Stefan Richter <stefanr@s5r6.in-berlin.de> 2010-01-26 14:54:50 -0500
commit: 281e20323ab72180137824a298ee9e21e6f9acf6 (patch)
tree: b807edaafec3c00e442d41d9091b9783a53820f9 /drivers
parent: 6d3faf6f431bafb25f4b9926c50a7e5c267738c6 (diff)
1 files changed, 36 insertions, 14 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index e6d63849e78..4eeaed57e21 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -35,6 +35,7 @@
 #include <linux/preempt.h>
 #include <linux/sched.h>
 #include <linux/spinlock.h>
+#include <linux/string.h>
 #include <linux/time.h>
 #include <linux/uaccess.h>
 #include <linux/vmalloc.h>
@@ -595,13 +596,20 @@ static int ioctl_send_request(struct client *client, void *buffer)
                            client->device->max_speed);
 }
+static inline bool is_fcp_request(struct fw_request *request)
+{
+        return request == NULL;
+}
 static void release_request(struct client *client,
                            struct client_resource *resource)
 {
        struct inbound_transaction_resource *r = container_of(resource,
                        struct inbound_transaction_resource, resource);
-        if (r->request)
+        if (is_fcp_request(r->request))
+                kfree(r->data);
+        else
                fw_send_response(client->device->card, r->request,
                                 RCODE_CONFLICT_ERROR);
        kfree(r);
@@ -616,6 +624,7 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
        struct address_handler_resource *handler = callback_data;
        struct inbound_transaction_resource *r;
        struct inbound_transaction_event *e;
+        void *fcp_frame = NULL;
        int ret;
        r = kmalloc(sizeof(*r), GFP_ATOMIC);
@@ -627,6 +636,18 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
        r->data    = payload;
        r->length  = length;
+        if (is_fcp_request(request)) {
+                /*
+                 * FIXME: Let core-transaction.c manage a
+                 * single reference-counted copy?
+                 */
+                fcp_frame = kmemdup(payload, length, GFP_ATOMIC);
+                if (fcp_frame == NULL)
+                        goto failed;
+                r->data = fcp_frame;
+        }
        r->resource.release = release_request;
        ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);
        if (ret < 0)
@@ -640,13 +661,15 @@ static void handle_request(struct fw_card *card, struct fw_request *request,
        e->request.closure = handler->closure;
        queue_event(handler->client, &e->event,
-                    &e->request, sizeof(e->request), payload, length);
+                    &e->request, sizeof(e->request), r->data, length);
        return;
 failed:
        kfree(r);
        kfree(e);
-        if (request)
+        kfree(fcp_frame);
+        if (!is_fcp_request(request))
                fw_send_response(card, request, RCODE_CONFLICT_ERROR);
 }
@@ -717,18 +740,17 @@ static int ioctl_send_response(struct client *client, void *buffer)
        r = container_of(resource, struct inbound_transaction_resource,
                         resource);
-        if (r->request) {
+        if (is_fcp_request(r->request))
-                if (request->length < r->length)
+                goto out;
-                        r->length = request->length;
-                if (copy_from_user(r->data, u64_to_uptr(request->data),
+        if (request->length < r->length)
-                                   r->length)) {
+                r->length = request->length;
-                        ret = -EFAULT;
+        if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {
-                        kfree(r->request);
+                ret = -EFAULT;
-                        goto out;
+                kfree(r->request);
-                }
+                goto out;
-                fw_send_response(client->device->card, r->request,
-                                 request->rcode);
        }
+        fw_send_response(client->device->card, r->request, request->rcode);
 out:
        kfree(r);
author	Stefan Richter <stefanr@s5r6.in-berlin.de>	2010-01-24 10:45:03 -0500
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>	2010-01-26 14:54:50 -0500
commit	281e20323ab72180137824a298ee9e21e6f9acf6 (patch)
tree	b807edaafec3c00e442d41d9091b9783a53820f9 /drivers
parent	6d3faf6f431bafb25f4b9926c50a7e5c267738c6 (diff)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index e6d63849e78..4eeaed57e21 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c
@@ -35,6 +35,7 @@
35	#include <linux/preempt.h>	35	#include <linux/preempt.h>
36	#include <linux/sched.h>	36	#include <linux/sched.h>
37	#include <linux/spinlock.h>	37	#include <linux/spinlock.h>
		38	#include <linux/string.h>
38	#include <linux/time.h>	39	#include <linux/time.h>
39	#include <linux/uaccess.h>	40	#include <linux/uaccess.h>
40	#include <linux/vmalloc.h>	41	#include <linux/vmalloc.h>
@@ -595,13 +596,20 @@ static int ioctl_send_request(struct client client, void buffer)
595	client->device->max_speed);	596	client->device->max_speed);
596	}	597	}
597		598
		599	static inline bool is_fcp_request(struct fw_request *request)
		600	{
		601	return request == NULL;
		602	}
		603
598	static void release_request(struct client *client,	604	static void release_request(struct client *client,
599	struct client_resource *resource)	605	struct client_resource *resource)
600	{	606	{
601	struct inbound_transaction_resource *r = container_of(resource,	607	struct inbound_transaction_resource *r = container_of(resource,
602	struct inbound_transaction_resource, resource);	608	struct inbound_transaction_resource, resource);
603		609
604	if (r->request)	610	if (is_fcp_request(r->request))
		611	kfree(r->data);
		612	else
605	fw_send_response(client->device->card, r->request,	613	fw_send_response(client->device->card, r->request,
606	RCODE_CONFLICT_ERROR);	614	RCODE_CONFLICT_ERROR);
607	kfree(r);	615	kfree(r);
@@ -616,6 +624,7 @@ static void handle_request(struct fw_card card, struct fw_request request,
616	struct address_handler_resource *handler = callback_data;	624	struct address_handler_resource *handler = callback_data;
617	struct inbound_transaction_resource *r;	625	struct inbound_transaction_resource *r;
618	struct inbound_transaction_event *e;	626	struct inbound_transaction_event *e;
		627	void *fcp_frame = NULL;
619	int ret;	628	int ret;
620		629
621	r = kmalloc(sizeof(*r), GFP_ATOMIC);	630	r = kmalloc(sizeof(*r), GFP_ATOMIC);
@@ -627,6 +636,18 @@ static void handle_request(struct fw_card card, struct fw_request request,
627	r->data = payload;	636	r->data = payload;
628	r->length = length;	637	r->length = length;
629		638
		639	if (is_fcp_request(request)) {
		640	/*
		641	* FIXME: Let core-transaction.c manage a
		642	* single reference-counted copy?
		643	*/
		644	fcp_frame = kmemdup(payload, length, GFP_ATOMIC);
		645	if (fcp_frame == NULL)
		646	goto failed;
		647
		648	r->data = fcp_frame;
		649	}
		650
630	r->resource.release = release_request;	651	r->resource.release = release_request;
631	ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);	652	ret = add_client_resource(handler->client, &r->resource, GFP_ATOMIC);
632	if (ret < 0)	653	if (ret < 0)
@@ -640,13 +661,15 @@ static void handle_request(struct fw_card card, struct fw_request request,
640	e->request.closure = handler->closure;	661	e->request.closure = handler->closure;
641		662
642	queue_event(handler->client, &e->event,	663	queue_event(handler->client, &e->event,
643	&e->request, sizeof(e->request), payload, length);	664	&e->request, sizeof(e->request), r->data, length);
644	return;	665	return;
645		666
646	failed:	667	failed:
647	kfree(r);	668	kfree(r);
648	kfree(e);	669	kfree(e);
649	if (request)	670	kfree(fcp_frame);
		671
		672	if (!is_fcp_request(request))
650	fw_send_response(card, request, RCODE_CONFLICT_ERROR);	673	fw_send_response(card, request, RCODE_CONFLICT_ERROR);
651	}	674	}
652		675
@@ -717,18 +740,17 @@ static int ioctl_send_response(struct client client, void buffer)
717		740
718	r = container_of(resource, struct inbound_transaction_resource,	741	r = container_of(resource, struct inbound_transaction_resource,
719	resource);	742	resource);
720	if (r->request) {	743	if (is_fcp_request(r->request))
721	if (request->length < r->length)	744	goto out;
722	r->length = request->length;	745
723	if (copy_from_user(r->data, u64_to_uptr(request->data),	746	if (request->length < r->length)
724	r->length)) {	747	r->length = request->length;
725	ret = -EFAULT;	748	if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {
726	kfree(r->request);	749	ret = -EFAULT;
727	goto out;	750	kfree(r->request);
728	}	751	goto out;
729	fw_send_response(client->device->card, r->request,
730	request->rcode);
731	}	752	}
		753	fw_send_response(client->device->card, r->request, request->rcode);
732	out:	754	out:
733	kfree(r);	755	kfree(r);
734		756