diff options
| author | Akash Goel <akash.goel@arm.com> | 2025-11-27 16:49:12 +0000 |
|---|---|---|
| committer | Boris Brezillon <boris.brezillon@collabora.com> | 2025-11-28 10:09:02 +0100 |
| commit | eec7e23d848d2194dd8791fcd0f4a54d4378eecd (patch) | |
| tree | 9e28e9c45f9e6a08da339b30ec088dbdb4673737 /net/unix/af_unix.c | |
| parent | 31d3354f42c0da34415164a1f621a195caa1f1bc (diff) | |
drm/panthor: Prevent potential UAF in group creation
This commit prevents the possibility of a use after free issue in the
GROUP_CREATE ioctl function, which arose as pointer to the group is
accessed in that ioctl function after storing it in the Xarray.
A malicious userspace can second guess the handle of a group and try
to call GROUP_DESTROY ioctl from another thread around the same time
as GROUP_CREATE ioctl.
To prevent the use after free exploit, this commit uses a mark on an
entry of group pool Xarray which is added just before returning from
the GROUP_CREATE ioctl function. The mark is checked for all ioctls
that specify the group handle and so userspace won't be abe to delete
a group that isn't marked yet.
v2: Add R-bs and fixes tags
Fixes: de85488138247 ("drm/panthor: Add the scheduler logical block")
Co-developed-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Akash Goel <akash.goel@arm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
Link: https://patch.msgid.link/20251127164912.3788155-1-akash.goel@arm.com
Diffstat (limited to 'net/unix/af_unix.c')
0 files changed, 0 insertions, 0 deletions