summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-02-12 15:20:51 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-02-22 15:43:51 +0100
commit869182f45e38e4c62722b20a5c6f4bc48b2e60c3 (patch)
tree3b76d3b132721e80eac0cd86701283579de5a688 /drivers
parent344c9ac65ea678fafaff5074361dead24a038c27 (diff)
ALSA: seq: Fix racy pool initializations
commit d15d662e89fc667b90cd294b0eb45694e33144da upstream. ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. Meanwhile user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound accesses since the function tries to vmalloc / vfree the buffer. A simple fix is to just wrap the snd_seq_pool_init() call with the recently introduced client->ioctl_mutex; as the calls for snd_seq_pool_init() from other side are always protected with this mutex, we can avoid the race. Reported-by: 范龙飞 <long7573@126.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions