diff options
author | Takashi Iwai <tiwai@suse.de> | 2018-02-12 15:20:51 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-02-22 15:45:01 +0100 |
commit | b374197df2deb08fec55d48763711ea1df8efde7 (patch) | |
tree | 2dab03ecf05dcfa3e806412e7527a4bb54b04724 /sound/core/init.c | |
parent | 5e5d1372ba7cfa0cf040a4e038e689f6f16e6470 (diff) |
ALSA: seq: Fix racy pool initializations
commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
ALSA sequencer core initializes the event pool on demand by invoking
snd_seq_pool_init() when the first write happens and the pool is
empty. Meanwhile user can reset the pool size manually via ioctl
concurrently, and this may lead to UAF or out-of-bound accesses since
the function tries to vmalloc / vfree the buffer.
A simple fix is to just wrap the snd_seq_pool_init() call with the
recently introduced client->ioctl_mutex; as the calls for
snd_seq_pool_init() from other side are always protected with this
mutex, we can avoid the race.
Reported-by: 范龙飞 <long7573@126.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'sound/core/init.c')
0 files changed, 0 insertions, 0 deletions