| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Dec 2017 23:30:19 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Kees Cook <keescook@...omium.org>
Cc: Nick Desaulniers <ndesaulniers@...gle.com>,
moderated for non-subscribers <alsa-devel@...a-project.org>,
Arvind Yadav <arvind.yadav.cs@...il.com>,
Robb Glasser <rglasser@...gle.com>,
Jaroslav Kysela <perex@...ex.cz>,
Takashi Sakamoto <o-takashi@...amocchi.jp>,
Markus Elfring <elfring@...rs.sourceforge.net>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info
On Tue, 05 Dec 2017 20:29:07 +0100,
Kees Cook wrote:
>
> On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai <tiwai@...e.de> wrote:
> > On Tue, 05 Dec 2017 18:16:55 +0100,
> > Nick Desaulniers wrote:
> >>
> >> From: Robb Glasser <rglasser@...gle.com>
> >>
> >> When the device descriptor is closed, the `substream->runtime` pointer
> >> is freed. But another thread may be in the ioctl handler, case
> >> SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
> >> calls snd_pcm_info() which accesses the now freed `substream->runtime`.
> >>
> >> Signed-off-by: Robb Glasser <rglasser@...gle.com>
> >> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com>
> >
> > Looks reasonable. Applied with Cc to stable now.
>
> FWIW, this was assigned CVE-2017-0861. (Best to get it into the commit
> log if possible.)
OK, I updated the changelog. Thanks for information.
Takashi
Powered by blists - more mailing lists