media: mc: fix potential use-after-free in media_request_alloc() - wireguard-linux

diff options

author	Mathias Krause <minipli@grsecurity.net>	2025-12-09 22:09:03 +0100
committer	Christian Brauner <brauner@kernel.org>	2025-12-15 15:12:28 +0100
commit	a260bd22a355bcdb74cedac6ab9b10739cd2c62c (patch)
tree	10fe197ba2ae6c1c1c2756c7a9671ae571a67d8b /security/apparmor/ssh:/git@git.zx2c4.com/git:/git.zx2c4.com
parent	Linux 6.19-rc1 (diff)

media: mc: fix potential use-after-free in media_request_alloc()

Commit 6f504cbf108a ("media: convert media_request_alloc() to FD_PREPARE()") moved the call to fd_install() (now hidden in fd_publish()) before the snprintf(), making the later write to potentially already freed memory, as userland is free to call close() concurrently right after the call to fd_install() which may end up in the request_fops.release() handler freeing 'req'. Fixes: 6f504cbf108a ("media: convert media_request_alloc() to FD_PREPARE()") Signed-off-by: Mathias Krause <minipli@grsecurity.net> Link: https://patch.msgid.link/20251209210903.603958-1-minipli@grsecurity.net Signed-off-by: Christian Brauner <brauner@kernel.org>

Diffstat (limited to 'security/apparmor/ssh:/git@git.zx2c4.com/git:/git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: