USB: fix DoS in pwc USB video driver

the pwc driver has a disconnect method that waits for user space to close the device. This opens up an opportunity for a DoS attack, blocking the USB subsystem and making khubd's task busy wait in kernel space. This patch shifts freeing resources to close if an opened device is disconnected. Signed-off-by: Oliver Neukum <oneukum@suse.de> CC: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Oliver Neukum <oneukum@suse.de> 2007-08-21 01:10:42 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2007-08-22 17:27:58 -0400
commit: 85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d (patch)
tree: 261871504ea83df81488ac36e567e36de08c9b7a /drivers/media
parent: c39772d82ad453647ea4bf9d793010d86ef5e597 (diff)
2 files changed, 36 insertions, 17 deletions
diff --git a/drivers/media/video/pwc/pwc-if.c b/drivers/media/video/pwc/pwc-if.c
index 9c0e8d18c2f6..3d81966d8c42 100644
--- a/drivers/media/video/pwc/pwc-if.c
+++ b/drivers/media/video/pwc/pwc-if.c
@@ -1196,12 +1196,19 @@ static int pwc_video_open(struct inode *inode, struct file *file)
        return 0;
 }
+static void pwc_cleanup(struct pwc_device *pdev)
+{
+        pwc_remove_sysfs_files(pdev->vdev);
+        video_unregister_device(pdev->vdev);
+}
 /* Note that all cleanup is done in the reverse order as in _open */
 static int pwc_video_close(struct inode *inode, struct file *file)
 {
        struct video_device *vdev = file->private_data;
        struct pwc_device *pdev;
-        int i;
+        int i, hint;
        PWC_DEBUG_OPEN(">> video_close called(vdev = 0x%p).\n", vdev);
@@ -1224,8 +1231,9 @@ static int pwc_video_close(struct inode *inode, struct file *file)
        pwc_isoc_cleanup(pdev);
        pwc_free_buffers(pdev);
+        lock_kernel();
        /* Turn off LEDS and power down camera, but only when not unplugged */
-        if (pdev->error_status != EPIPE) {
+        if (!pdev->unplugged) {
                /* Turn LEDs off */
                if (pwc_set_leds(pdev, 0, 0) < 0)
                        PWC_DEBUG_MODULE("Failed to set LED on/off time.\n");
@@ -1234,9 +1242,19 @@ static int pwc_video_close(struct inode *inode, struct file *file)
                        if (i < 0)
                                PWC_ERROR("Failed to power down camera (%d)\n", i);
                }
+                pdev->vopen--;
+                PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", i);
+        } else {
+                pwc_cleanup(pdev);
+                /* Free memory (don't set pdev to 0 just yet) */
+                kfree(pdev);
+                /* search device_hint[] table if we occupy a slot, by any chance */
+                for (hint = 0; hint < MAX_DEV_HINTS; hint++)
+                        if (device_hint[hint].pdev == pdev)
+                                device_hint[hint].pdev = NULL;
        }
-        pdev->vopen--;
+        unlock_kernel();
-        PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", pdev->vopen);
        return 0;
 }
@@ -1791,21 +1809,21 @@ static void usb_pwc_disconnect(struct usb_interface *intf)
        /* Alert waiting processes */
        wake_up_interruptible(&pdev->frameq);
        /* Wait until device is closed */
-        while (pdev->vopen)
+        if(pdev->vopen) {
-                schedule();
+                pdev->unplugged = 1;
-        /* Device is now closed, so we can safely unregister it */
+        } else {
-        PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n");
+                /* Device is closed, so we can safely unregister it */
-        pwc_remove_sysfs_files(pdev->vdev);
+                PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n");
-        video_unregister_device(pdev->vdev);
+                pwc_cleanup(pdev);
+                /* Free memory (don't set pdev to 0 just yet) */
-        /* Free memory (don't set pdev to 0 just yet) */
+                kfree(pdev);
-        kfree(pdev);
 disconnect_out:
-        /* search device_hint[] table if we occupy a slot, by any chance */
+                /* search device_hint[] table if we occupy a slot, by any chance */
-        for (hint = 0; hint < MAX_DEV_HINTS; hint++)
+                for (hint = 0; hint < MAX_DEV_HINTS; hint++)
-                if (device_hint[hint].pdev == pdev)
+                        if (device_hint[hint].pdev == pdev)
-                        device_hint[hint].pdev = NULL;
+                                device_hint[hint].pdev = NULL;
+        }
        unlock_kernel();
 }
diff --git a/drivers/media/video/pwc/pwc.h b/drivers/media/video/pwc/pwc.h
index 910a04f53920..8e8e5b27e77e 100644
--- a/drivers/media/video/pwc/pwc.h
+++ b/drivers/media/video/pwc/pwc.h
@@ -193,6 +193,7 @@ struct pwc_device
   char vsnapshot;              /* snapshot mode */
   char vsync;                  /* used by isoc handler */
   char vmirror;                /* for ToUCaM series */
+        char unplugged;
   int cmd_len;
   unsigned char cmd_buf[13];
author	Oliver Neukum <oneukum@suse.de>	2007-08-21 01:10:42 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2007-08-22 17:27:58 -0400
commit	85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d (patch)
tree	261871504ea83df81488ac36e567e36de08c9b7a /drivers/media
parent	c39772d82ad453647ea4bf9d793010d86ef5e597 (diff)

diff --git a/drivers/media/video/pwc/pwc-if.c b/drivers/media/video/pwc/pwc-if.c index 9c0e8d18c2f6..3d81966d8c42 100644 --- a/drivers/media/video/pwc/pwc-if.c +++ b/drivers/media/video/pwc/pwc-if.c
@@ -1196,12 +1196,19 @@ static int pwc_video_open(struct inode inode, struct file file)
1196	return 0;	1196	return 0;
1197	}	1197	}
1198		1198
		1199
		1200	static void pwc_cleanup(struct pwc_device *pdev)
		1201	{
		1202	pwc_remove_sysfs_files(pdev->vdev);
		1203	video_unregister_device(pdev->vdev);
		1204	}
		1205
1199	/* Note that all cleanup is done in the reverse order as in _open */	1206	/* Note that all cleanup is done in the reverse order as in _open */
1200	static int pwc_video_close(struct inode inode, struct file file)	1207	static int pwc_video_close(struct inode inode, struct file file)
1201	{	1208	{
1202	struct video_device *vdev = file->private_data;	1209	struct video_device *vdev = file->private_data;
1203	struct pwc_device *pdev;	1210	struct pwc_device *pdev;
1204	int i;	1211	int i, hint;
1205		1212
1206	PWC_DEBUG_OPEN(">> video_close called(vdev = 0x%p).\n", vdev);	1213	PWC_DEBUG_OPEN(">> video_close called(vdev = 0x%p).\n", vdev);
1207		1214
@@ -1224,8 +1231,9 @@ static int pwc_video_close(struct inode inode, struct file file)
1224	pwc_isoc_cleanup(pdev);	1231	pwc_isoc_cleanup(pdev);
1225	pwc_free_buffers(pdev);	1232	pwc_free_buffers(pdev);
1226		1233
		1234	lock_kernel();
1227	/* Turn off LEDS and power down camera, but only when not unplugged */	1235	/* Turn off LEDS and power down camera, but only when not unplugged */
1228	if (pdev->error_status != EPIPE) {	1236	if (!pdev->unplugged) {
1229	/* Turn LEDs off */	1237	/* Turn LEDs off */
1230	if (pwc_set_leds(pdev, 0, 0) < 0)	1238	if (pwc_set_leds(pdev, 0, 0) < 0)
1231	PWC_DEBUG_MODULE("Failed to set LED on/off time.\n");	1239	PWC_DEBUG_MODULE("Failed to set LED on/off time.\n");
@@ -1234,9 +1242,19 @@ static int pwc_video_close(struct inode inode, struct file file)
1234	if (i < 0)	1242	if (i < 0)
1235	PWC_ERROR("Failed to power down camera (%d)\n", i);	1243	PWC_ERROR("Failed to power down camera (%d)\n", i);
1236	}	1244	}
		1245	pdev->vopen--;
		1246	PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", i);
		1247	} else {
		1248	pwc_cleanup(pdev);
		1249	/* Free memory (don't set pdev to 0 just yet) */
		1250	kfree(pdev);
		1251	/* search device_hint[] table if we occupy a slot, by any chance */
		1252	for (hint = 0; hint < MAX_DEV_HINTS; hint++)
		1253	if (device_hint[hint].pdev == pdev)
		1254	device_hint[hint].pdev = NULL;
1237	}	1255	}
1238	pdev->vopen--;	1256	unlock_kernel();
1239	PWC_DEBUG_OPEN("<< video_close() vopen=%d\n", pdev->vopen);	1257
1240	return 0;	1258	return 0;
1241	}	1259	}
1242		1260
@@ -1791,21 +1809,21 @@ static void usb_pwc_disconnect(struct usb_interface *intf)
1791	/* Alert waiting processes */	1809	/* Alert waiting processes */
1792	wake_up_interruptible(&pdev->frameq);	1810	wake_up_interruptible(&pdev->frameq);
1793	/* Wait until device is closed */	1811	/* Wait until device is closed */
1794	while (pdev->vopen)	1812	if(pdev->vopen) {
1795	schedule();	1813	pdev->unplugged = 1;
1796	/* Device is now closed, so we can safely unregister it */	1814	} else {
1797	PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n");	1815	/* Device is closed, so we can safely unregister it */
1798	pwc_remove_sysfs_files(pdev->vdev);	1816	PWC_DEBUG_PROBE("Unregistering video device in disconnect().\n");
1799	video_unregister_device(pdev->vdev);	1817	pwc_cleanup(pdev);
1800		1818	/* Free memory (don't set pdev to 0 just yet) */
1801	/* Free memory (don't set pdev to 0 just yet) */	1819	kfree(pdev);
1802	kfree(pdev);
1803		1820
1804	disconnect_out:	1821	disconnect_out:
1805	/* search device_hint[] table if we occupy a slot, by any chance */	1822	/* search device_hint[] table if we occupy a slot, by any chance */
1806	for (hint = 0; hint < MAX_DEV_HINTS; hint++)	1823	for (hint = 0; hint < MAX_DEV_HINTS; hint++)
1807	if (device_hint[hint].pdev == pdev)	1824	if (device_hint[hint].pdev == pdev)
1808	device_hint[hint].pdev = NULL;	1825	device_hint[hint].pdev = NULL;
		1826	}
1809		1827
1810	unlock_kernel();	1828	unlock_kernel();
1811	}	1829	}


diff --git a/drivers/media/video/pwc/pwc.h b/drivers/media/video/pwc/pwc.h index 910a04f53920..8e8e5b27e77e 100644 --- a/drivers/media/video/pwc/pwc.h +++ b/drivers/media/video/pwc/pwc.h
@@ -193,6 +193,7 @@ struct pwc_device
193	char vsnapshot; /* snapshot mode */	193	char vsnapshot; /* snapshot mode */
194	char vsync; /* used by isoc handler */	194	char vsync; /* used by isoc handler */
195	char vmirror; /* for ToUCaM series */	195	char vmirror; /* for ToUCaM series */
		196	char unplugged;
196		197
197	int cmd_len;	198	int cmd_len;
198	unsigned char cmd_buf[13];	199	unsigned char cmd_buf[13];