Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

From: Greg KH
Date: Tue Dec 05 2017 - 12:26:57 EST

Next message: Gustavo A. R. Silva: "Re: [PATCH] c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt"
Previous message: Guenter Roeck: "Re: [v2] mfd: stm32: Adopt SPDX identifier"
In reply to: Nick Desaulniers: "Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 05, 2017 at 09:19:32AM -0800, Nick Desaulniers wrote:
> + stable
>
> On Tue, Dec 5, 2017 at 9:16 AM, Nick Desaulniers
> <ndesaulniers@xxxxxxxxxx> wrote:
> > From: Robb Glasser <rglasser@xxxxxxxxxx>
> >
> > When the device descriptor is closed, the `substream->runtime` pointer
> > is freed. But another thread may be in the ioctl handler, case
> > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
> > calls snd_pcm_info() which accesses the now freed `substream->runtime`.
> >
> > Signed-off-by: Robb Glasser <rglasser@xxxxxxxxxx>
> > Signed-off-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
> > ---
> > sound/core/pcm.c | 2 ++
> > 1 file changed, 2 insertions(+)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

Next message: Gustavo A. R. Silva: "Re: [PATCH] c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt"
Previous message: Guenter Roeck: "Re: [v2] mfd: stm32: Adopt SPDX identifier"
In reply to: Nick Desaulniers: "Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]