--2008762185-1804928587-917695005=:19685
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi Alan, Linus!
If you experienced random oopses, random filesystem corruption or
the like and you are by any chance using a bttv card you may want
to apply the patch attached to get rid of the problems. (I dont
know, if this is a brown paperbag one - for me it is :))
Now, the reason for the problems is that the bttv driver deallocates
the grabbing buffer at device close() time which is bad, as the
bttv card seems to go on with grabbing (proved by the attached program).
Also the memory mappings stay intact, so after the close() you have
access to memory you dont own anymore -> security hole (proved by
the attached program).
The simple fix is to move the buffer freeing code to bttv_release
(i.e. to driver closedown time). The downside is of course that
the buffer may now never be deallocated.
The attached program does prove the security hole by just opening
/dev/video0, mmapping the memory and closing /dev/video0. After
some time you can notice changes in mmapped memory -> proved.
The attached program also proves the memory corruption bug. Just
issue while true; do ./bttvtest 1; done and do some memory allocating
things (f.i. find /). BUT BEWARE! THIS WILL USUALLY CAUSE OOPSES,
MEMORY AND FILESYSTEM CORRUPTION! (this will happen after only a few
seconds) so, unmount/remount ro all your filesystems! (Alt-Sysrq-u is
your friend).
Richard.
PS: bttv and memory/filesystem corruption seems to be a quite regular
pattern these days - I wonder how many of these strange oops
reports will go away by applying the patch...
PS2: if you are not convinced that this will be a problem in real
life (without this sort of stress test program) I can tell you
it does for me. Just think of developing a grabbing program -
you will likely start/stop it many times and after a few
hours you will be convinced...
-- Richard Guenther <richard.guenther@student.uni-tuebingen.de> PGP: 2E829319 - 2F 83 FC 93 E9 E4 19 E2 93 7A 32 42 45 37 23 57 WWW: http://www.anatom.uni-tuebingen.de/~richi/--2008762185-1804928587-917695005=:19685 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=bttv-patch Content-Transfer-Encoding: BASE64 Content-ID: <Pine.HPP.3.96.990130121645.19685D@fphp16.tphys.physik.uni-tuebingen.de> Content-Description: Patch
LS0tIGxpbnV4LTIuMi4wL2RyaXZlcnMvY2hhci9idHR2LmMub3JpZ2luYWwJ U2F0IEphbiAzMCAxMjoxNDozNCAxOTk5DQorKysgbGludXgtMi4yLjAvZHJp dmVycy9jaGFyL2J0dHYuYwlTYXQgSmFuIDMwIDEyOjM0OjM1IDE5OTkNCkBA IC0xNTM1LDcgKzE1MzUsNyBAQA0KICAgICAgICAgICAgICAgICB1c2Vycys9 YnR0dnNbaV0udXNlcjsNCiAgICAgICAgIGlmICh1c2Vycz09MSkNCiAgICAg ICAgICAgICAgICAgZmluZF92Z2EoKTsNCi0gICAgICAgIGJ0di0+ZmJ1ZmZl cj1OVUxMOw0KKyAgICAgICAgLyogYnR2LT5mYnVmZmVyPU5VTEw7ICovDQog ICAgICAgICBpZiAoIWJ0di0+ZmJ1ZmZlcikNCiAgICAgICAgICAgICAgICAg YnR2LT5mYnVmZmVyPSh1bnNpZ25lZCBjaGFyICopIHJ2bWFsbG9jKDIqQlRU Vl9NQVhfRkJVRik7DQogICAgICAgICBpZiAoIWJ0di0+ZmJ1ZmZlcikNCkBA IC0xNTYwLDkgKzE1NjAsOSBAQA0KIAlidHYtPmNhcCY9fjM7DQogCWJ0ODQ4 X3NldF9yaXNjX2ptcHMoYnR2KTsNCiANCi0JaWYoYnR2LT5mYnVmZmVyKQ0K Ky8qCWlmKGJ0di0+ZmJ1ZmZlcikNCiAJCXJ2ZnJlZSgodm9pZCAqKSBidHYt PmZidWZmZXIsIDIqQlRUVl9NQVhfRkJVRik7DQotCWJ0di0+ZmJ1ZmZlcj0w Ow0KKwlidHYtPmZidWZmZXI9MDsgKi8NCiAJTU9EX0RFQ19VU0VfQ09VTlQ7 ICANCiB9DQogDQpAQCAtMzcxMiw2ICszNzEyLDkgQEANCiAJCWlmIChidHYt PnZiaWJ1ZikNCiAJCQl2ZnJlZSgodm9pZCAqKSBidHYtPnZiaWJ1Zik7DQog DQorCQlpZihidHYtPmZidWZmZXIpDQorCQkgICAgICAgIHJ2ZnJlZSgodm9p ZCAqKSBidHYtPmZidWZmZXIsIDIqQlRUVl9NQVhfRkJVRik7DQorCSAgICAg ICAgYnR2LT5mYnVmZmVyPTA7DQogDQogCQlmcmVlX2lycShidHYtPmlycSxi dHYpOw0KIAkJREVCVUcocHJpbnRrKEtFUk5fREVCVUcgImJ0ODQ4X21lbTog MHglMDh4LlxuIiwgYnR2LT5idDg0OF9tZW0pKTsNCg== --2008762185-1804928587-917695005=:19685 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bttvtest.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.HPP.3.96.990130121645.19685E@fphp16.tphys.physik.uni-tuebingen.de> Content-Description: prove
I2luY2x1ZGUgPHN5cy9tbWFuLmg+DQojaW5jbHVkZSA8c3lzL2lvY3RsLmg+ DQojaW5jbHVkZSA8c3lzL3RpbWUuaD4NCiNpbmNsdWRlIDx1bmlzdGQuaD4N CiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPGZjbnRsLmg+DQojaW5j bHVkZSAidmlkZW9kZXYuaCINCg0KI2RlZmluZSBCVFRWX01BWF9GQlVGIDB4 MTUxMDAwDQoNCmludCBhY2Nlc3NfbWVtKGNoYXIgKm1lbSwgaW50IHNpemUp DQp7DQogIGludCBpLCByZXR2YWw9MDsNCiAgdm9sYXRpbGUgaW50IGo7DQoN CiAgZm9yIChpPTA7IGk8c2l6ZTsgaSsrKQ0KICAgIGlmICgoaiA9ICgodm9s YXRpbGUgY2hhciAqKW1lbSlbaV0pICE9IDApDQogICAgICByZXR1cm4gcmV0 dmFsID0gMTsNCiAgcmV0dXJuIHJldHZhbDsNCn0NCg0KaW50IG1haW4oaW50 IGFyZ2MsIGNoYXIgKiphcmd2KQ0Kew0KICBpbnQgZmQsIGNudCwgZzAsIGcx LCB3aGljaDsNCiAgY2hhciAqbWFwOw0KICBzdHJ1Y3QgdmlkZW9fbW1hcCB2 bWFwOw0KICBzdHJ1Y3QgdGltZXZhbCBzdGFydCwgc3RvcDsNCg0KICBpZiAo YXJnYyA8IDIpIHsNCiAgICBmcHJpbnRmKHN0ZGVyciwgIlVzYWdlOiAlcyB3 aGljaFxuIiwgYXJndlswXSk7DQogICAgZXhpdCgwKTsNCiAgfQ0KICB3aGlj aCA9IGF0b2koYXJndlsxXSk7DQogIGlmICh3aGljaCAhPSAwICYmIHdoaWNo ICE9IDEpDQogICAgZXhpdCgtMSk7DQogIA0KICBpZiAoKGZkID0gb3Blbigi L2Rldi92aWRlbzAiLCBPX1JEV1IpKSA9PSAtMSkgew0KICAgIHBlcnJvcigi b3BlbiAvZGV2L3ZpZGVvMCIpOw0KICAgIGdvdG8gX291dDsNCiAgfQ0KDQog IG1hcCA9IG1tYXAoMCwgQlRUVl9NQVhfRkJVRioyLCBQUk9UX1JFQUR8UFJP VF9XUklURSwgTUFQX1NIQVJFRCwgZmQsIDApOw0KICBpZiAoKGludCltYXAg PT0gLTEpIHsNCiAgICBwZXJyb3IoIm1tYXAiKTsNCiAgICBnb3RvIF9jbG9z ZV92aWQ7DQogIH0NCiAgbWVtc2V0KG1hcCwgMCwgQlRUVl9NQVhfRkJVRioy KTsNCg0KICB2bWFwLmhlaWdodCA9IDU3NjsNCiAgdm1hcC53aWR0aCA9IDc2 ODsNCiAgdm1hcC5mb3JtYXQgPSBWSURFT19QQUxFVFRFX1JHQjI0Ow0KDQoN CiAgaWYgKHdoaWNoID09IDApIHsNCiAgICAvKg0KICAgICAqIHNob3cgc2Vj dXJpdHkgZmxhdyAocmVhZCBtZW0gYWZ0ZXIgY2xvc2UpDQogICAgICogaWRl YWxseSwgd2UgY291bGQgbG9vcCBvdmVyIG9wZW4oKSwgbW1hcCgpIGFuZCBj bG9zZSgpDQogICAgICogYW5kIGdldCBqdXN0IGV2ZXJ5IG1lbSBtYXBwZWQg dG8gb3VyIHByb2Nlc3MgYWZ0ZXINCiAgICAgKiBzb21lIHRpbWU/Pw0KICAg ICAqLw0KICAgIGlmIChjbG9zZShmZCkgPT0gLTEpDQogICAgICBwZXJyb3Io ImNsb3NlIik7DQogICAgY250ID0gMDsNCiAgICB3aGlsZSAoMSkgew0KICAg ICAgaWYgKGFjY2Vzc19tZW0obWFwLCBCVFRWX01BWF9GQlVGKjIpKSB7DQoJ ZnByaW50ZihzdGRlcnIsICJBUkdIISBtZW0gbW9kaWZpZWQgYWZ0ZXIgJWkg cnVucyFcbiIsIGNudCk7DQoJYnJlYWs7DQogICAgICB9DQogICAgICBjbnQr KzsNCiAgICB9DQoNCiAgfSBlbHNlIGlmICh3aGljaCA9PSAxKSB7DQogICAg LyoNCiAgICAgKiBzaG93IG1lbW9yeSBjb3JydXB0aW9uISEgKGJlIGNhcmVm dWwhKQ0KICAgICAqIHdpdGggQ09SUlVQVCBkZWZpbmVkIHlvdSBzaG91bGQg YmUgYWJsZSB0byBjcmFzaCB5b3VyDQogICAgICogbWFjaGluZSB3aXRoIHN0 YXJ0aW5nIGJ0dHZ0ZXN0IGZvciBhIGZldyB0aW1lcy4uLg0KICAgICAqLw0K I2RlZmluZSBDT1JSVVBUDQogICAgZ2V0dGltZW9mZGF5KCZzdGFydCwgTlVM TCk7DQogICAgdm1hcC5mcmFtZSA9IDA7DQogICAgaWYgKGlvY3RsKGZkLCBW SURJT0NNQ0FQVFVSRSwgJnZtYXApID09IC0xKQ0KICAgICAgcGVycm9yKCJW SURJT0NNQ0FQVFVSRSIpOw0KICAgIHZtYXAuZnJhbWUgPSAxOw0KICAgIGlm IChpb2N0bChmZCwgVklESU9DTUNBUFRVUkUsICZ2bWFwKSA9PSAtMSkNCiAg ICAgIHBlcnJvcigiVklESU9DTUNBUFRVUkUiKTsNCiAgICBpZiAoY2xvc2Uo ZmQpID09IC0xKQ0KICAgICAgcGVycm9yKCJjbG9zZSIpOw0KICAgIGdldHRp bWVvZmRheSgmc3RvcCwgTlVMTCk7DQoNCiNpZm5kZWYgQ09SUlVQVA0KICAg IC8qIGhlcmUsIGdyYWJiaW5nIHNob3VsZCBqdXN0IGhhdmUgc3RhcnRlZCBv ciBuZXZlciBzdGFydCAqLw0KICAgIGcwID0gYWNjZXNzX21lbShtYXAsIEJU VFZfTUFYX0ZCVUYpOw0KICAgIGcxID0gYWNjZXNzX21lbShtYXArQlRUVl9N QVhfRkJVRiwgQlRUVl9NQVhfRkJVRik7DQojZW5kaWYNCg0KICAgIGZwcmlu dGYoc3RkZXJyLCAiMiB0aW1lcyBWSURJT0NNQ0FQVFVSRSArIGNsb3NlIGxh c3RzICVpIHVzXG4iLA0KCSAgICAoc3RvcC50dl9zZWMtc3RhcnQudHZfc2Vj KSoxMDAwMDAwDQoJICAgICsgKHN0b3AudHZfdXNlYy1zdGFydC50dl91c2Vj KSk7DQojaWZuZGVmIENPUlJVUFQNCiAgICB1c2xlZXAoMio0MDAwMCk7DQog ICAgDQogICAgLyogaGVyZSBncmFiYmluZyBzaG91bGQgYmUgZmluaXNoZWQg Ki8NCiAgICBpZiAoZzEgIT0gYWNjZXNzX21lbShtYXArQlRUVl9NQVhfRkJV RiwgQlRUVl9NQVhfRkJVRikpDQogICAgICBmcHJpbnRmKHN0ZGVyciwgIkdy YWJiaW5nIHRvIGZyYW1lIDEgc3RhcnRlZCBhZnRlciBjbG9zZSE/P1xuIik7 DQogICAgaWYgKGcwICE9IGFjY2Vzc19tZW0obWFwLCBCVFRWX01BWF9GQlVG KSkNCiAgICAgIGZwcmludGYoc3RkZXJyLCAiR3JhYmJpbmcgdG8gZnJhbWUg MCBzdGFydGVkIGFmdGVyIGNsb3NlIT8/XG4iKTsNCiNlbmRpZg0KICB9DQoN Cl9tdW5tYXBfZmJ1ZjoNCiAgaWYgKG11bm1hcChtYXAsIEJUVFZfTUFYX0ZC VUYqMikgPT0gLTEpDQogICAgcGVycm9yKCJtdW5tYXAiKTsNCl9jbG9zZV92 aWQ6DQogIGlmIChjbG9zZShmZCkgPT0gLTEpDQogICAgcGVycm9yKCJjbG9z ZSIpOw0KX291dDoNCiAgcmV0dXJuIDA7DQp9DQoNCg0K --2008762185-1804928587-917695005=:19685--
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/