[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-video
Subject:    [video4linux] Re: bttv security and stability problems
From:       alan () lxorguk ! ukuu ! org ! uk (Alan Cox)
Date:       1998-08-10 12:08:15
[Download RAW message or body]

> (abstract: rvfree at bttv_close() time is not a good idea,
> bt848_set_risc_jmps(btv) in bttv_close() does not prevent the
> grabber from grabbing into the rvfree'ed memory)

Ah.. oops

> security: one can close /dev/videox and have still mappings
> of the buffers. But as close deallocates them, the user can
> now read (and write) to pages used probably by other processes
> or the kernel. A program could open, mmap, close many times

No. In 2.1.x the final close should go to the device driver on the final unmap
if you close then unmap

> reason, videodev.c:video_mmap has to pass vm_area_struct
> to the driver so it can use vmops->unmap to track the unmap
> case. (I think we must ensure, the module is present during
> a mmapped buffer, too) - as this would change the present
> interface there is no patch yet...

Ok. To cover 2.0 as well thats probably the right patch, and also to shut
the grabber down ;) That also explains the occasional overlay race when
VIDIOCCAPTURE doesnt stop capturing instantly ?



------------
To unsubscribe from this list send mail to majordomo@phunk.org with the
line "unsubscribe video4linux" without the quotes in the body of the
message.

[prev in list] [next in list] [prev in thread] [next in thread]