RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-24 14:47:34 +00:00
Code Issues Activity Actions

Kernel/USB: Remove UAF in device removal

Browse source 
I was using a raw pointer instead of a RefPtr to keep the device alive
during removal.
This commit is contained in:
Luke 2021-08-14 22:09:41 +01:00 committed by Andreas Kling
parent a548366425
commit 51b6bd8d95
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/Bus/USB/USBHub.cpp
View file

@ -297,7 +297,7 @@ void Hub::check_for_port_updates()
} else { } else {
dbgln("USB Hub: Device detached on port {}!", port_number); dbgln("USB Hub: Device detached on port {}!", port_number);
Device* device_to_remove = nullptr; RefPtr<Device> device_to_remove = nullptr;
for (auto& child : m_children) { for (auto& child : m_children) {
if (port_number == child.port()) { if (port_number == child.port()) {
device_to_remove = &child; device_to_remove = &child;
@ -310,7 +310,7 @@ void Hub::check_for_port_updates()
SysFSUSBBusDirectory::the().unplug(*device_to_remove); SysFSUSBBusDirectory::the().unplug(*device_to_remove);
if (device_to_remove->device_descriptor().device_class == USB_CLASS_HUB) { if (device_to_remove->device_descriptor().device_class == USB_CLASS_HUB) {
auto* hub_child = static_cast<Hub*>(device_to_remove); auto* hub_child = static_cast<Hub*>(device_to_remove.ptr());
hub_child->remove_children_from_sysfs(); hub_child->remove_children_from_sysfs();
} }
} else { } else {