forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/sound/core/seq
History
Takashi Iwai b374197df2 ALSA: seq: Fix racy pool initializations 
commit d15d662e89 upstream.

ALSA sequencer core initializes the event pool on demand by invoking
snd_seq_pool_init() when the first write happens and the pool is
empty.  Meanwhile user can reset the pool size manually via ioctl
concurrently, and this may lead to UAF or out-of-bound accesses since
the function tries to vmalloc / vfree the buffer.

A simple fix is to just wrap the snd_seq_pool_init() call with the
recently introduced client->ioctl_mutex; as the calls for
snd_seq_pool_init() from other side are always protected with this
mutex, we can avoid the race.

Reported-by: 范龙飞 <long7573@126.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-02-22 15:45:01 +01:00
..
oss ALSA: seq: Fix OSS sysex delivery in OSS emulation 2017-11-15 17:13:12 +01:00
Kconfig ALSA: clean up the logic for building sequencer modules 2009-05-29 11:49:42 +02:00
Makefile ALSA: core: Fix randconfig build wrt CONFIG_PROC_FS 2015-05-29 07:21:02 +02:00
seq.c Subject: ALSA: seq: Remove autoload locks in driver registration 2014-10-18 20:25:19 +02:00
seq_clientmgr.c ALSA: seq: Fix racy pool initializations 2018-02-22 15:45:01 +01:00
seq_clientmgr.h ALSA: seq: Make ioctls race-free 2018-02-03 17:04:25 +01:00
seq_compat.c ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode 2016-01-31 11:28:57 -08:00
seq_device.c ALSA: seq: Cancel pending autoload work at unbinding device 2017-11-18 11:11:05 +01:00
seq_dummy.c ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_fifo.c ALSA: seq: Fix race during FIFO resize 2017-04-08 09:53:31 +02:00
seq_fifo.h
seq_info.c ALSA: core: Build conditionally and remove superfluous ifdefs 2015-04-24 17:31:07 +02:00
seq_info.h ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
seq_lock.c ALSA: seq: Enable 'use' locking in all configurations 2017-10-27 10:23:16 +02:00
seq_lock.h ALSA: seq: Enable 'use' locking in all configurations 2017-10-27 10:23:16 +02:00
seq_memory.c ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() 2017-03-30 09:35:15 +02:00
seq_memory.h ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() 2017-03-30 09:35:15 +02:00
seq_midi.c ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_midi_emul.c ALSA: seq: potential out of bounds in do_control() 2015-02-12 11:07:48 +01:00
seq_midi_event.c sound: Add module.h to the previously silent sound users 2011-10-31 19:31:21 -04:00
seq_ports.c ALSA: seq: Fix use-after-free at creating a port 2017-10-18 09:20:42 +02:00
seq_ports.h ALSA: seq: remove unused callback_all field 2015-01-26 13:56:58 +01:00
seq_prioq.c ALSA: seq: Drop superfluous error/debug messages after malloc failures 2015-03-10 15:41:18 +01:00
seq_prioq.h
seq_queue.c ALSA: seq: 2nd attempt at fixing race creating a queue 2017-08-24 17:02:35 -07:00
seq_queue.h ALSA: seq: 2nd attempt at fixing race creating a queue 2017-08-24 17:02:35 -07:00
seq_system.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
seq_system.h
seq_timer.c ALSA: seq: Remove spurious WARN_ON() at timer check 2017-12-16 10:33:49 +01:00
seq_timer.h
seq_virmidi.c ALSA: seq: Fix copy_from_user() call inside lock 2017-10-18 09:20:42 +02:00