Skip to content

Commit

Permalink
ALSA: pcm: prevent UAF in snd_pcm_info
Browse files Browse the repository at this point in the history 
When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Bug: 36006981
Signed-off-by: Robb Glasser <[email protected]>
Signed-off-by: Nick Desaulniers <[email protected]>
Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a
Signed-off-by: Francisco Franco <[email protected]>
  • Loading branch information
@franciscofranco
Robb Glasser authored and franciscofranco committed May 11, 2018
1 parent e105838 commit 8be6351
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions sound/core/pcm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
err = -ENXIO;
goto _error;
}
mutex_lock(&pcm->open_mutex);
err = snd_pcm_info_user(substream, info);
mutex_unlock(&pcm->open_mutex);
_error:
mutex_unlock(&register_mutex);
return err;
Expand Down

0 comments on commit 8be6351

Please sign in to comment.