diff options
author | Jay Fenlason <fenlason@redhat.com> | 2008-05-16 11:15:23 -0400 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2008-05-20 12:24:17 -0400 |
commit | 551f4cb9de716ffcdaf968c99a450c22ff12e8c3 (patch) | |
tree | 97ad7f4a9bf073a8b8c9c61ae44eb9f1c41c0698 /drivers | |
parent | 93c596f7d611b379302bbdd26f31acdf72f4859a (diff) |
firewire: prevent userspace from accessing shut down devices
If userspace ignores the POLLERR bit from poll(), and only attempts to
read() the device when POLLIN is set, it can still make ioctl() calls on
a device that has been removed from the system. The node_id and
generation returned by GET_INFO will be outdated, but INITIATE_BUS_RESET
would still cause a bus reset, and GET_CYCLE_TIMER will return data.
And if you guess the correct generation to use, you can send requests to
a different device on the bus, and get responses back.
This patch prevents open, ioctl, compat_ioctl, and mmap against shutdown
devices.
Signed-off-by: Jay Fenlason <fenlason@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/firewire/fw-cdev.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c index 4a541921a14a..dda14015e873 100644 --- a/drivers/firewire/fw-cdev.c +++ b/drivers/firewire/fw-cdev.c | |||
@@ -113,6 +113,11 @@ static int fw_device_op_open(struct inode *inode, struct file *file) | |||
113 | if (device == NULL) | 113 | if (device == NULL) |
114 | return -ENODEV; | 114 | return -ENODEV; |
115 | 115 | ||
116 | if (fw_device_is_shutdown(device)) { | ||
117 | fw_device_put(device); | ||
118 | return -ENODEV; | ||
119 | } | ||
120 | |||
116 | client = kzalloc(sizeof(*client), GFP_KERNEL); | 121 | client = kzalloc(sizeof(*client), GFP_KERNEL); |
117 | if (client == NULL) { | 122 | if (client == NULL) { |
118 | fw_device_put(device); | 123 | fw_device_put(device); |
@@ -901,6 +906,9 @@ fw_device_op_ioctl(struct file *file, | |||
901 | { | 906 | { |
902 | struct client *client = file->private_data; | 907 | struct client *client = file->private_data; |
903 | 908 | ||
909 | if (fw_device_is_shutdown(client->device)) | ||
910 | return -ENODEV; | ||
911 | |||
904 | return dispatch_ioctl(client, cmd, (void __user *) arg); | 912 | return dispatch_ioctl(client, cmd, (void __user *) arg); |
905 | } | 913 | } |
906 | 914 | ||
@@ -911,6 +919,9 @@ fw_device_op_compat_ioctl(struct file *file, | |||
911 | { | 919 | { |
912 | struct client *client = file->private_data; | 920 | struct client *client = file->private_data; |
913 | 921 | ||
922 | if (fw_device_is_shutdown(client->device)) | ||
923 | return -ENODEV; | ||
924 | |||
914 | return dispatch_ioctl(client, cmd, compat_ptr(arg)); | 925 | return dispatch_ioctl(client, cmd, compat_ptr(arg)); |
915 | } | 926 | } |
916 | #endif | 927 | #endif |
@@ -922,6 +933,9 @@ static int fw_device_op_mmap(struct file *file, struct vm_area_struct *vma) | |||
922 | unsigned long size; | 933 | unsigned long size; |
923 | int page_count, retval; | 934 | int page_count, retval; |
924 | 935 | ||
936 | if (fw_device_is_shutdown(client->device)) | ||
937 | return -ENODEV; | ||
938 | |||
925 | /* FIXME: We could support multiple buffers, but we don't. */ | 939 | /* FIXME: We could support multiple buffers, but we don't. */ |
926 | if (client->buffer.pages != NULL) | 940 | if (client->buffer.pages != NULL) |
927 | return -EBUSY; | 941 | return -EBUSY; |