mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
ALSA: pcm: prevent UAF in snd_pcm_info
When the device descriptor is closed, the `substream->runtime` pointer is freed. But another thread may be in the ioctl handler, case SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which calls snd_pcm_info() which accesses the now freed `substream->runtime`. Bug: 36006981 Signed-off-by: Robb Glasser <rglasser@google.com> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
This commit is contained in:
parent
277389dc14
commit
745b477c70
1 changed files with 2 additions and 0 deletions
|
@ -146,7 +146,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
|
||||||
err = -ENXIO;
|
err = -ENXIO;
|
||||||
goto _error;
|
goto _error;
|
||||||
}
|
}
|
||||||
|
mutex_lock(&pcm->open_mutex);
|
||||||
err = snd_pcm_info_user(substream, info);
|
err = snd_pcm_info_user(substream, info);
|
||||||
|
mutex_unlock(&pcm->open_mutex);
|
||||||
_error:
|
_error:
|
||||||
mutex_unlock(®ister_mutex);
|
mutex_unlock(®ister_mutex);
|
||||||
return err;
|
return err;
|
||||||
|
|
Loading…
Reference in a new issue