Commit e11ae21c authored Aug 11, 2017 by Robb Glasser Committed by Dyneteve Nov 14, 2017

ALSA: pcm: prevent UAF in snd_pcm_info



When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Bug: 36006981
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Change-Id: I445d24bc21dc0af6d9522a8daabe64969042236a

parent 92154c28

sound/core/pcm.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
		err = -ENXIO;
		goto _error;
		}
		mutex_lock(&pcm->open_mutex);
		err = snd_pcm_info_user(substream, info);
		mutex_unlock(&pcm->open_mutex);
		_error:
		mutex_unlock(&register_mutex);
		return err;