diff options
| author | Mathias Krause <minipli@grsecurity.net> | 2022-01-27 18:34:19 +1000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-01-29 10:25:11 +0100 |
| commit | 84b1259fe36ae0915f3d6ddcea6377779de48b82 (patch) | |
| tree | 1d924f8b6fd617a6e7c8becc22ea830e0616c876 /net/lapb/lapb_out.c | |
| parent | 16895e4eac364487a1f1060004a4f3b6c571be27 (diff) | |
| download | linux-84b1259fe36ae0915f3d6ddcea6377779de48b82.tar.gz linux-84b1259fe36ae0915f3d6ddcea6377779de48b82.tar.bz2 linux-84b1259fe36ae0915f3d6ddcea6377779de48b82.zip | |
drm/vmwgfx: Fix stale file descriptors on failed usercopy
commit a0f90c8815706981c483a652a6aefca51a5e191c upstream.
A failing usercopy of the fence_rep object will lead to a stale entry in
the file descriptor table as put_unused_fd() won't release it. This
enables userland to refer to a dangling 'file' object through that still
valid file descriptor, leading to all kinds of use-after-free
exploitation scenarios.
Fix this by deferring the call to fd_install() until after the usercopy
has succeeded.
Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/lapb/lapb_out.c')
0 files changed, 0 insertions, 0 deletions