de3313d536
commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream. The PCM runtime object is created and freed dynamically at PCM stream open / close time. This is tracked via substream->runtime, and it's cleared at snd_pcm_detach_substream(). The runtime object assignment is protected by PCM open_mutex, so for all PCM operations, it's safely handled. However, each PCM substream provides also an ALSA timer interface, and user-space can access to this while closing a PCM substream. This may eventually lead to a UAF, as snd_pcm_timer_resolution() tries to access the runtime while clearing it in other side. Fortunately, it's the only concurrent access from the PCM timer, and it merely reads runtime->timer_resolution field. So, we can avoid the race by reordering kfree() and wrapping the substream->runtime clearance with the corresponding timer lock. Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
||
|---|---|---|
| .. | ||
| aoa | ||
| arm | ||
| atmel | ||
| core | ||
| drivers | ||
| firewire | ||
| i2c | ||
| isa | ||
| mips | ||
| oss | ||
| parisc | ||
| pci | ||
| pcmcia | ||
| ppc | ||
| sh | ||
| soc | ||
| sparc | ||
| spi | ||
| synth | ||
| usb | ||
| Kconfig | ||
| Makefile | ||
| ac97_bus.c | ||
| last.c | ||
| sound_core.c | ||
| sound_firmware.c | ||