| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s5hpouad3rt.wl-tiwai@suse.de>
Date: Thu, 31 Mar 2016 18:13:26 +0200
From: Takashi Iwai <tiwai@...e.de>
To: Vladis Dronov <vdronov@...hat.com>
Cc: Jaroslav Kysela <perex@...ex.cz>, alsa-devel@...a-project.org,
linux-kernel@...r.kernel.org, linux-sound@...r.kernel.org
Subject: Re: [PATCH] ALSA: usb-audio: Fix double-free in snd_usb_add_audio_stream()
On Thu, 31 Mar 2016 18:05:43 +0200,
Vladis Dronov wrote:
>
> From: Vladis Dronov <vdronov@...hat.com>
> Subject: [PATCH] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
>
> create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
> create_uaxx_quirk() functions allocate the audioformat object by themselves
> and free it upon error before returning. However, once the object is linked
> to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
> double-freed, eventually resulting in a memory corruption.
>
> This patch fixes these failures in the error paths by unlinking the audioformat
> object before freeing it.
>
> Based on a patch by Takashi Iwai" <tiwai@...e.de>
>
> [Note for stable backports:
> this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
> code cleanup in create_fixed_stream_quirk()')]
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
> Reported-by: Ralf Spenneberg <ralf@...nneberg.net>
> Cc: <stable@...r.kernel.org> # see the note above
> Signed-off-by: Vladis Dronov <vdronov@...hat.com>
Applied, thanks.
Takashi
Powered by blists - more mailing lists