Skip to content

GitLab

Switch branch/tag
History Find file
Clone
HID: roccat: Fix use-after-free in roccat_read()
Hyunwoo Kim authored 
[ Upstream commit cacdb14b ]

roccat_report_event() is responsible for registering
roccat-related reports in struct roccat_device.

int roccat_report_event(int minor, u8 const *data)
{
	struct roccat_device *device;
	struct roccat_reader *reader;
	struct roccat_report *report;
	uint8_t *new_value;

	device = devices[minor];

	new_value = kmemdup(data, device->report_size, GFP_ATOMIC);
	if (!new_value)
		return -ENOMEM;

	report = &device->cbuf[device->cbuf_end];

	/* passing NULL is safe */
	kfree(report->value);
	...

The registered report is stored in the struct roccat_device member
"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];".
If more reports are received than the "ROCCAT_CBUF_SIZE" value,
kfree() the saved report from cbuf[0] and allocates a new reprot.
Since there is no lock when this kfree() is performed,
kfree() can be performed even while reading the saved report.

static ssize_t roccat_read(struct file *file, char ...
e30c3a9a
Name Last commit Last update
Documentation iio: ABI: Fix wrong format of differential capacitance channel ABI.
LICENSES LICENSES: Rename other to deprecated
arch ARM: dts: imx6sx: add missing properties for sram
block blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist
crypto crypto: akcipher - default implementation for setting a private key
drivers HID: roccat: Fix use-after-free in roccat_read()
fs btrfs: scrub: try to fix super block errors
include iommu/iova: Fix module config properly
init random: handle latent entropy and command line from random_init()
ipc ipc/mqueue: use get_tree_nodev() in mqueue_get_tree()
kernel cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset
lib dyndbg: let query-modname override actual module name
mm mm: pagewalk: Fix race between unmap and page walker
net Bluetooth: L2CAP: Fix user-after-free
samples samples/kretprobes: Fix return value if register_kretprobe() failed
scripts kbuild: remove the target in signal traps when interrupted
security efi: Correct Macmini DMI match in uefi cert quirk
sound ALSA: hda/hdmi: Don't skip notification handling during PM operation
tools bpftool: Clear errno after libcap's checks
usr initramfs: restore default compression behavior
virt KVM: Add infrastructure and macro to mark VM as bugged
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.