linux/drivers/iio
Mathias Krause c72ea20503 iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL
If we fail to copy the just created file descriptor to userland, we
try to clean up by putting back 'fd' and freeing 'ib'. The code uses
put_unused_fd() for the former which is wrong, as the file descriptor
was already published by fd_install() which gets called internally by
anon_inode_getfd().

This makes the error handling code leaving a half cleaned up file
descriptor table around and a partially destructed 'file' object,
allowing userland to play use-after-free tricks on us, by abusing
the still usable fd and making the code operate on a dangling
'file->private_data' pointer.

Instead of leaving the kernel in a partially corrupted state, don't
attempt to explicitly clean up and leave this to the process exit
path that'll release any still valid fds, including the one created
by the previous call to anon_inode_getfd(). Simply return -EFAULT to
indicate the error.

Fixes: f73f7f4da5 ("iio: buffer: add ioctl() to support opening extra buffers for IIO device")
Cc: stable@kernel.org
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: Alexandru Ardelean <ardeleanalex@gmail.com>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Nuno Sa <Nuno.Sa@analog.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-02-11 12:13:22 +01:00
..
accel 1st set of IIO new device support, features and cleanup for 5.17 2021-12-22 12:33:01 +01:00
adc bitmap patches for 5.17-rc1 2022-01-23 06:20:44 +02:00
addac iio:addac:ad74413r: Fix uninitialized ret in a path that won't be hit. 2021-12-21 15:10:10 +00:00
afe iio: afe: iio-rescale: Support processed channels 2021-06-03 18:24:13 +01:00
amplifiers iio:amplifiers:hmc425a: Suppress clang W=1 warning about pointer to enum conversion. 2021-12-21 15:10:09 +00:00
buffer iio: buffer-dma: Use round_down() instead of rounddown() 2021-11-27 15:12:44 +00:00
cdc iio:cdc:ad7150: Fix use of uninitialized ret 2021-04-07 08:36:39 +01:00
chemical iio: chemical: sunrise_co2: set val parameter only on success 2021-12-28 18:37:41 +00:00
common iio/scmi: Add reading "raw" attribute. 2021-11-17 17:51:35 +00:00
dac iio:dac:mcp4725: Suppress clang W=1 warning about pointer to enum conversion. 2021-12-21 15:10:09 +00:00
dummy iio:dummy: Drop set but unused variable len. 2021-12-21 15:10:09 +00:00
filter iio:filter:admv8818: add support for ADMV8818 2021-12-16 17:34:28 +00:00
frequency iio: frequency: admv1013: add support for ADMV1013 2021-12-23 11:53:48 +00:00
gyro iio: gyro: adxrs290: fix data signedness 2021-11-21 11:29:50 +00:00
health iio: afe4404: Remove no-op trigger ops 2021-11-17 17:51:37 +00:00
humidity iio: humidity: hdc100x: Add margin to the conversion time 2021-07-24 18:13:02 +01:00
imu iio:imu:inv_mpu6050: Suppress clang W=1 warning about pointer to enum conversion. 2021-12-21 15:10:09 +00:00
light 1st set of IIO new device support, features and cleanup for 5.17 2021-12-22 12:33:01 +01:00
magnetometer iio:magn:ak8975: Suppress clang W=1 warning about pointer to enum conversion. 2021-12-21 15:10:09 +00:00
multiplexer iio: multiplexer: iio-mux: Support settle-time-us property 2021-10-21 20:02:54 +01:00
orientation iio: hid-sensors: bind IIO channels alloc to device object 2021-07-13 18:21:53 +01:00
position iio: hid-sensors: Update header includes 2021-06-16 14:53:13 +01:00
potentiometer iio:pot:mcp41010: Switch to generic firmware properties. 2021-12-12 17:12:47 +00:00
potentiostat iio: lmp91000: Remove no-op trigger ops 2021-11-17 17:51:38 +00:00
pressure More power management updates for 5.17-rc1 2022-01-18 09:13:30 +02:00
proximity iio: as3935: Remove unnecessary cast 2021-12-16 16:34:54 +00:00
resolver iio:resolver:ad2s1200: Drop of_match_ptr protection 2020-09-21 18:41:31 +01:00
temperature iio: temperature: Add MAX31865 RTD Support 2021-09-14 12:00:33 +01:00
test iio: test: Add test for IIO_VAL_INT_64. 2021-11-27 16:33:45 +00:00
trigger 1st set of IIO new device support, features and cleanup for 5.17 2021-12-22 12:33:01 +01:00
iio_core_trigger.h iio: core-trigger: make iio_device_register_trigger_consumer() an int return 2021-03-11 20:47:02 +00:00
iio_core.h iio: Mark iio_device_type as const 2021-11-17 17:51:35 +00:00
industrialio-buffer.c iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL 2022-02-11 12:13:22 +01:00
industrialio-configfs.c
industrialio-core.c iio: iio_device_alloc(): Remove unnecessary self drvdata 2021-12-16 11:44:10 +00:00
industrialio-event.c iio:event: Add timeout event info type 2021-04-07 08:36:36 +01:00
industrialio-sw-device.c
industrialio-sw-trigger.c
industrialio-trigger.c 1st set of IIO new device support, features and cleanup for 5.17 2021-12-22 12:33:01 +01:00
industrialio-triggered-event.c iio: core: move @id from struct iio_dev to struct iio_dev_opaque 2021-05-17 13:49:13 +01:00
inkern.c iio: inkern: introduce devm_iio_map_array_register() short-hand function 2021-10-19 08:27:34 +01:00
Kconfig iio: add filter subfolder 2021-12-16 17:29:46 +00:00
Makefile iio: add filter subfolder 2021-12-16 17:29:46 +00:00
TODO