| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <af5a6764-76ee-3184-2622-a756c23fbc98@perex.cz>
Date: Mon, 26 Apr 2021 16:38:41 +0200
From: Jaroslav Kysela <perex@...ex.cz>
To: Takashi Iwai <tiwai@...e.de>, Lv Yunlong <lyl2019@...l.ustc.edu.cn>
Cc: tiwai@...e.com, alsa-devel@...a-project.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] sound/isa/sb/emu8000: Fix a use after free in
snd_emu8000_create_mixer
Dne 26. 04. 21 v 16:23 Takashi Iwai napsal(a):
> On Mon, 26 Apr 2021 15:11:29 +0200,
> Lv Yunlong wrote:
>>
>> Our code analyzer reported a uaf.
>>
>> In snd_emu8000_create_mixer, the callee snd_ctl_add(..,emu->controls[i])
>> calls snd_ctl_add_replace(.., kcontrol,..). Inside snd_ctl_add_replace(),
>> if error happens, kcontrol will be freed by snd_ctl_free_one(kcontrol).
>> Then emu->controls[i] points to a freed memory, and the execution comes
>> to __error branch of snd_emu8000_create_mixer. The freed emu->controls[i]
>> is used in snd_ctl_remove(card, emu->controls[i]).
>>
>> My patch set emu->controls[i] to NULL if snd_ctl_add() failed to avoid
>> the uaf.
>>
>> Signed-off-by: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
>
> Thanks, applied now.
>
> The bug was hard to be seen due to the coding style, so we'd need a
> cleanup, but it's a different story...
Yes, it would be better to assign the return value from snd_ctl_new1 to a
local variable and set emu->controls[i] only when everything succeeds.
Jaroslav
--
Jaroslav Kysela <perex@...ex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
Powered by blists - more mailing lists