| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200130183621.853126337@linuxfoundation.org>
Date: Thu, 30 Jan 2020 19:38:33 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>,
Dragos Tarcatu <dragos_tarcatu@...tor.com>,
Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
Kuninori Morimoto <kuninori.morimoto.gx@...esas.com>,
Mark Brown <broonie@...nel.org>,
Sasha Levin <sashal@...nel.org>
Subject: [PATCH 5.4 057/110] ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()
From: Dragos Tarcatu <dragos_tarcatu@...tor.com>
[ Upstream commit dd836ddf4e4e1c7f1eb2ae44783ccd70872ef24e ]
remove_link() is currently calling snd_soc_remove_dai_link() after
it has already freed the memory for the link name. But this is later
read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
warning. Reorder the cleanups to fix this issue.
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@...tor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>
Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx@...esas.com>
Link: https://lore.kernel.org/r/20191204210447.11701-4-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
sound/soc/soc-topology.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index fd2d22ddc81b0..7ccbca47240d7 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -548,12 +548,12 @@ static void remove_link(struct snd_soc_component *comp,
if (dobj->ops && dobj->ops->link_unload)
dobj->ops->link_unload(comp, dobj);
+ list_del(&dobj->list);
+ snd_soc_remove_dai_link(comp->card, link);
+
kfree(link->name);
kfree(link->stream_name);
kfree(link->cpus->dai_name);
-
- list_del(&dobj->list);
- snd_soc_remove_dai_link(comp->card, link);
kfree(link);
}
--
2.20.1
Powered by blists - more mailing lists