Fix device removal loop bounds#46
Open
Shaoen-Lin wants to merge 1 commit into
Open
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="control.c">
<violation number="1" location="control.c:122">
P0: TOCTOU race condition in device destruction: device pointer captured outside `vcam_devices_lock` while array mutation happens inside it. Concurrent `VCAM_IOCTL_DESTROY_DEVICE` calls on different indices can leave a dangling pointer in `vcam_devices` after one thread frees the device, causing UAF on later access.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
|
|
||
| spin_lock_irqsave(&ctldev->vcam_devices_lock, flags); | ||
| for (i = dev_spec->idx; i < (ctldev->vcam_device_count); i++) | ||
| for (i = dev_spec->idx; i + 1 < (ctldev->vcam_device_count); i++) |
There was a problem hiding this comment.
P0: TOCTOU race condition in device destruction: device pointer captured outside vcam_devices_lock while array mutation happens inside it. Concurrent VCAM_IOCTL_DESTROY_DEVICE calls on different indices can leave a dangling pointer in vcam_devices after one thread frees the device, causing UAF on later access.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At control.c, line 122:
<comment>TOCTOU race condition in device destruction: device pointer captured outside `vcam_devices_lock` while array mutation happens inside it. Concurrent `VCAM_IOCTL_DESTROY_DEVICE` calls on different indices can leave a dangling pointer in `vcam_devices` after one thread frees the device, causing UAF on later access.</comment>
<file context>
@@ -119,7 +119,7 @@ static int control_iocontrol_destroy_device(struct vcam_device_spec *dev_spec)
spin_lock_irqsave(&ctldev->vcam_devices_lock, flags);
- for (i = dev_spec->idx; i < (ctldev->vcam_device_count); i++)
+ for (i = dev_spec->idx; i + 1 < (ctldev->vcam_device_count); i++)
ctldev->vcam_devices[i] = ctldev->vcam_devices[i + 1];
ctldev->vcam_devices[--ctldev->vcam_device_count] = NULL;
</file context>
The removal loop shifts vcam_devices entries left by reading vcam_devices[i + 1]. The current loop lets i reach vcam_device_count - 1, so the last iteration reads one entry past the valid array range. Stop the loop before i + 1 reaches vcam_device_count. Signed-off-by: Shaoen-Lin <shaoen.lin92@gmail.com>
Shaoen-Lin
force-pushed
the
fix-device-removal-loop
branch
from
38e5abd to
ce31656
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When removing a device, the control device shifts the remaining
vcam_devicesentries left by readingvcam_devices[i + 1].The current loop allows i to reach
vcam_device_count - 1, so the last iteration readsvcam_devices[vcam_device_count], which is outside the valid range.Stop the loop before
i + 1reachesvcam_device_count.Summary by cubic
Fix off-by-one in the device removal shift loop by bounding it to
i + 1 < vcam_device_count, preventing reads past the end ofvcam_devices. This avoids out-of-bounds access and crashes when removing the last device.Written for commit ce31656. Summary will update on new commits.