• Takashi Sakamoto's avatar
    firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region · 531390a2
    Takashi Sakamoto authored
    This patch is fix for Linux kernel v2.6.33 or later.
    
    For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
    have had an issue of use-after-free. The subsystem allows multiple
    user space listeners to the region, while data of the payload was likely
    released before the listeners execute read(2) to access to it for copying
    to user space.
    
    The issue was fixed by a commit 281e2032 ("firewire: core: fix
    use-after-free regression in FCP handler"). The object of payload is
    duplicated in kernel space for each listener. When the listener executes
    ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
    be released.
    
    However, it causes memory leak since the commit relies on call of
    release_request() in drivers/firewire/core-cdev.c. Against the
    expectation, the function is never called due to the design of
    release_client_resource(). The function delegates release task
    to caller when called with non-NULL fourth argument. The implementation
    of ioctl_send_response() is the case. It should release the object
    explicitly.
    
    This commit fixes the bug.
    
    Cc: <stable@vger.kernel.org>
    Fixes: 281e2032 ("firewire: core: fix use-after-free regression in FCP handler")
    Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
    Link: https://lore.kernel.org/r/20230117090610.93792-2-o-takashi@sakamocchi.jpSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    531390a2
core-cdev.c 45.8 KB