diff options
| author | Sean Young <sean@mess.org> | 2024-04-24 17:18:39 +0800 |
|---|---|---|
| committer | openeuler-sync-bot <openeuler.syncbot@gmail.com> | 2024-04-25 16:08:54 +0800 |
| commit | bade7092c255a75dc4ded6a43c146f4a434f3f60 (patch) | |
| tree | 0595c2303ff5e1a7b6f148f425973c037537e22a | |
| parent | 272e398dbb6ed5290871f3ec58218fbf81b3a02c (diff) | |
| download | openEuler-kernel-bade7092c255a75dc4ded6a43c146f4a434f3f60.tar.gz | |
media: rc: bpf attach/detach requires write permission
stable inclusion
from stable-v5.10.210
commit 93d8109bf182510629bbefc8cd45296d2393987f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJVU
CVE: CVE-2023-52642
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=93d8109bf182510629bbefc8cd45296d2393987f
--------------------------------
commit 6a9d552483d50953320b9d3b57abdee8d436f23f upstream.
Note that bpf attach/detach also requires CAP_NET_ADMIN.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zhenzeng Su <suzhenzeng@huawei.com>
(cherry picked from commit 8cba46fe5d13688a84edabbdd83e9f8f9a32f513)
| -rw-r--r-- | drivers/media/rc/bpf-lirc.c | 6 | ||||
| -rw-r--r-- | drivers/media/rc/lirc_dev.c | 5 | ||||
| -rw-r--r-- | drivers/media/rc/rc-core-priv.h | 2 |
3 files changed, 8 insertions, 5 deletions
diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index afae0afe3f810e..a8c55e4bfaee21 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -249,7 +249,7 @@ int lirc_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog) if (attr->attach_flags) return -EINVAL; - rcdev = rc_dev_get_from_fd(attr->target_fd); + rcdev = rc_dev_get_from_fd(attr->target_fd, true); if (IS_ERR(rcdev)) return PTR_ERR(rcdev); @@ -274,7 +274,7 @@ int lirc_prog_detach(const union bpf_attr *attr) if (IS_ERR(prog)) return PTR_ERR(prog); - rcdev = rc_dev_get_from_fd(attr->target_fd); + rcdev = rc_dev_get_from_fd(attr->target_fd, true); if (IS_ERR(rcdev)) { bpf_prog_put(prog); return PTR_ERR(rcdev); @@ -299,7 +299,7 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) if (attr->query.query_flags) return -EINVAL; - rcdev = rc_dev_get_from_fd(attr->query.target_fd); + rcdev = rc_dev_get_from_fd(attr->query.target_fd, false); if (IS_ERR(rcdev)) return PTR_ERR(rcdev); diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index 220363b9a868da..c001f896afe1d0 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -822,7 +822,7 @@ void __exit lirc_dev_exit(void) unregister_chrdev_region(lirc_base_dev, RC_DEV_MAX); } -struct rc_dev *rc_dev_get_from_fd(int fd) +struct rc_dev *rc_dev_get_from_fd(int fd, bool write) { struct fd f = fdget(fd); struct lirc_fh *fh; @@ -836,6 +836,9 @@ struct rc_dev *rc_dev_get_from_fd(int fd) return ERR_PTR(-EINVAL); } + if (write && !(f.file->f_mode & FMODE_WRITE)) + return ERR_PTR(-EPERM); + fh = f.file->private_data; dev = fh->rc; diff --git a/drivers/media/rc/rc-core-priv.h b/drivers/media/rc/rc-core-priv.h index 62f032dffd33a0..dfe0352c0f0a62 100644 --- a/drivers/media/rc/rc-core-priv.h +++ b/drivers/media/rc/rc-core-priv.h @@ -325,7 +325,7 @@ void lirc_raw_event(struct rc_dev *dev, struct ir_raw_event ev); void lirc_scancode_event(struct rc_dev *dev, struct lirc_scancode *lsc); int lirc_register(struct rc_dev *dev); void lirc_unregister(struct rc_dev *dev); -struct rc_dev *rc_dev_get_from_fd(int fd); +struct rc_dev *rc_dev_get_from_fd(int fd, bool write); #else static inline int lirc_dev_init(void) { return 0; } static inline void lirc_dev_exit(void) {} |