BUG in videodev.c [PATCH]

Richard Guenther (zxmpm11@student.uni-tuebingen.de)
Sat, 6 Mar 1999 12:59:21 +0100 (MET)


Hi!

A bug in videodev.c lets you mmap device memory and free it
via close() - this leaves you with a nice "Blanko" mapping
of some memory. For example the bttv driver is vulnerable
as it frees its buffer in close(). (The drivers itself
cannot fix it, since they dont get the vm_area_struct)

Richard.

PS: patch is against 2.2.3-pre1

--- linux-2.2.0/drivers/char/videodev.c.original-pre1 Sat Mar 6 11:53:10 1999
+++ linux-2.2.0/drivers/char/videodev.c Sat Mar 6 12:04:50 1999
@@ -295,9 +295,18 @@
{
struct video_device *vfl=video_device[MINOR(ino->i_rdev)];
#endif
- if(vfl->mmap)
- return vfl->mmap(vfl, (char *)vma->vm_start,
+ int res;
+
+ if(vfl->mmap) {
+ res = vfl->mmap(vfl, (char *)vma->vm_start,
(unsigned long)(vma->vm_end-vma->vm_start));
+ if (!res) {
+ vma->vm_file = file;
+ file->f_count++;
+ }
+ return res;
+ }
+
return -EINVAL;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/