lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20171212124432.279385361@linuxfoundation.org> Date: Tue, 12 Dec 2017 13:43:56 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Robb Glasser <rglasser@...gle.com>, Nick Desaulniers <ndesaulniers@...gle.com>, Takashi Iwai <tiwai@...e.de> Subject: [PATCH 4.9 026/148] ALSA: pcm: prevent UAF in snd_pcm_info 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Robb Glasser <rglasser@...gle.com> commit 362bca57f5d78220f8b5907b875961af9436e229 upstream. When the device descriptor is closed, the `substream->runtime` pointer is freed. But another thread may be in the ioctl handler, case SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which calls snd_pcm_info() which accesses the now freed `substream->runtime`. Note: this fixes CVE-2017-0861 Signed-off-by: Robb Glasser <rglasser@...gle.com> Signed-off-by: Nick Desaulniers <ndesaulniers@...gle.com> Signed-off-by: Takashi Iwai <tiwai@...e.de> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- sound/core/pcm.c | 2 ++ 1 file changed, 2 insertions(+) --- a/sound/core/pcm.c +++ b/sound/core/pcm.c @@ -149,7 +149,9 @@ static int snd_pcm_control_ioctl(struct err = -ENXIO; goto _error; } + mutex_lock(&pcm->open_mutex); err = snd_pcm_info_user(substream, info); + mutex_unlock(&pcm->open_mutex); _error: mutex_unlock(®ister_mutex); return err;
Powered by blists - more mailing lists