lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3294600.sHRg43ppdH@avalon>
Date:   Sat, 26 May 2018 19:21:11 +0300
From:   Laurent Pinchart <laurent.pinchart@...asonboard.com>
To:     David Fries <David@...es.net>
Cc:     linux-kernel@...r.kernel.org,
        Guennadi Liakhovetski <g.liakhovetski@....de>,
        Mauro Carvalho Chehab <mchehab@...pensource.com>,
        stable@...r.kernel.org
Subject: Re: [PATCH 1/1] media: uvc_driver: fix USB Camera ref leak denial of service

Hi David,

Thank you for the patch.

On Saturday, 26 May 2018 18:50:46 EEST David Fries wrote:
> Commit 9d15cd958c17 ("media: uvcvideo: Convert from using an atomic
> variable to a reference count")
> didn't take into account that while the old counter was initialized to
> 0 (no stream open), kref_init starts with a reference of 1.  The
> reference count on unplug no longer reaches 0, uvc_delete isn't
> called, and evdev doesn't release /dev/input/event*.  Plug and unplug
> enough times and it runs out of device minors preventing any new input
> device and the use of newly plugged in USB video cameras until the
> system is rebooted.
> 
> Signed-off-by: David Fries <David@...es.net>
> Cc: Guennadi Liakhovetski <g.liakhovetski@....de>
> Cc: Laurent Pinchart <laurent.pinchart@...asonboard.com>
> Cc: Mauro Carvalho Chehab <mchehab@...pensource.com>
> Cc: stable@...r.kernel.org

Philipp Zabel has already posted a similar patch, see https://
patchwork.linuxtv.org/patch/49770/

Mauro,

This is a serious issue so I'd like to get the patch merged in v4.18, but it 
could be argued that it's getting late for that, especially given that the bug 
has been there since v4.14. Would you be OK merging this in v4.18 ? If so 
could you pick https://patchwork.linuxtv.org/patch/49770/ up, or would you 
like me to send a pull request ?

> ---
>  drivers/media/usb/uvc/uvc_driver.c | 11 ++++-------
>  1 file changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/media/usb/uvc/uvc_driver.c
> b/drivers/media/usb/uvc/uvc_driver.c index 2469b49..3cbdc87 100644
> --- a/drivers/media/usb/uvc/uvc_driver.c
> +++ b/drivers/media/usb/uvc/uvc_driver.c
> @@ -1871,13 +1871,6 @@ static void uvc_unregister_video(struct uvc_device
> *dev) {
>  	struct uvc_streaming *stream;
> 
> -	/* Unregistering all video devices might result in uvc_delete() being
> -	 * called from inside the loop if there's no open file handle. To avoid
> -	 * that, increment the refcount before iterating over the streams and
> -	 * decrement it when done.
> -	 */
> -	kref_get(&dev->ref);
> -
>  	list_for_each_entry(stream, &dev->streams, list) {
>  		if (!video_is_registered(&stream->vdev))
>  			continue;
> @@ -1888,6 +1881,10 @@ static void uvc_unregister_video(struct uvc_device
> *dev) uvc_debugfs_cleanup_stream(stream);
>  	}
> 
> +	/* Release the reference implicit in kref_init from uvc_probe,
> +	 * the UVC device won't be deleted until the last file descriptor
> +	 * is also closed.
> +	 */
>  	kref_put(&dev->ref, uvc_delete);
>  }

-- 
Regards,

Laurent Pinchart



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ