mirror of
https://github.com/torvalds/linux.git
synced 2024-12-23 11:21:33 +00:00
29b0589a86
When the ene device is detaching, function ene_remove() will
be called. But there is no function to cancel tx_sim_timer
in ene_remove(), the timer handler ene_tx_irqsim() could race
with ene_remove(). As a result, the UAF bugs could happen,
the process is shown below.
(cleanup routine) | (timer routine)
| mod_timer(&dev->tx_sim_timer, ..)
ene_remove() | (wait a time)
| ene_tx_irqsim()
| dev->hw_lock //USE
| ene_tx_sample(dev) //USE
Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(),
The tx_sim_timer could stop before ene device is deallocated.
What's more, The rc_unregister_device() and del_timer_sync()
should be called first in ene_remove() and the deallocated
functions such as free_irq(), release_region() and so on
should be called behind them. Because the rc_unregister_device()
is well synchronized. Otherwise, race conditions may happen. The
situations that may lead to race conditions are shown below.
Firstly, the rx receiver is disabled with ene_rx_disable()
before rc_unregister_device() in ene_remove(), which means it
can be enabled again if a process opens /dev/lirc0 between
ene_rx_disable() and rc_unregister_device().
Secondly, the irqaction descriptor is freed by free_irq()
before the rc device is unregistered, which means irqaction
descriptor may be accessed again after it is deallocated.
Thirdly, the timer can call ene_tx_sample() that can write
to the io ports, which means the io ports could be accessed
again after they are deallocated by release_region().
Therefore, the rc_unregister_device() and del_timer_sync()
should be called first in ene_remove().
Suggested by: Sean Young <sean@mess.org>
Fixes:
|
||
---|---|---|
.. | ||
img-ir | ||
keymaps | ||
ati_remote.c | ||
bpf-lirc.c | ||
ene_ir.c | ||
ene_ir.h | ||
fintek-cir.c | ||
fintek-cir.h | ||
gpio-ir-recv.c | ||
gpio-ir-tx.c | ||
igorplugusb.c | ||
iguanair.c | ||
imon_raw.c | ||
imon.c | ||
ir_toy.c | ||
ir-hix5hd2.c | ||
ir-imon-decoder.c | ||
ir-jvc-decoder.c | ||
ir-mce_kbd-decoder.c | ||
ir-nec-decoder.c | ||
ir-rc5-decoder.c | ||
ir-rc6-decoder.c | ||
ir-rcmm-decoder.c | ||
ir-rx51.c | ||
ir-sanyo-decoder.c | ||
ir-sharp-decoder.c | ||
ir-sony-decoder.c | ||
ir-spi.c | ||
ir-xmp-decoder.c | ||
ite-cir.c | ||
ite-cir.h | ||
Kconfig | ||
lirc_dev.c | ||
Makefile | ||
mceusb.c | ||
meson-ir-tx.c | ||
meson-ir.c | ||
mtk-cir.c | ||
nuvoton-cir.c | ||
nuvoton-cir.h | ||
pwm-ir-tx.c | ||
rc-core-priv.h | ||
rc-ir-raw.c | ||
rc-loopback.c | ||
rc-main.c | ||
redrat3.c | ||
serial_ir.c | ||
st_rc.c | ||
streamzap.c | ||
sunxi-cir.c | ||
ttusbir.c | ||
winbond-cir.c | ||
xbox_remote.c |