[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-video
Subject: [video4linux] Re: bttv security and stability problems
From: alan () lxorguk ! ukuu ! org ! uk (Alan Cox)
Date: 1998-08-10 12:08:15
[Download RAW message or body]
> (abstract: rvfree at bttv_close() time is not a good idea,
> bt848_set_risc_jmps(btv) in bttv_close() does not prevent the
> grabber from grabbing into the rvfree'ed memory)
Ah.. oops
> security: one can close /dev/videox and have still mappings
> of the buffers. But as close deallocates them, the user can
> now read (and write) to pages used probably by other processes
> or the kernel. A program could open, mmap, close many times
No. In 2.1.x the final close should go to the device driver on the final unmap
if you close then unmap
> reason, videodev.c:video_mmap has to pass vm_area_struct
> to the driver so it can use vmops->unmap to track the unmap
> case. (I think we must ensure, the module is present during
> a mmapped buffer, too) - as this would change the present
> interface there is no patch yet...
Ok. To cover 2.0 as well thats probably the right patch, and also to shut
the grabber down ;) That also explains the occasional overlay race when
VIDIOCCAPTURE doesnt stop capturing instantly ?
------------
To unsubscribe from this list send mail to majordomo@phunk.org with the
line "unsubscribe video4linux" without the quotes in the body of the
message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic