Dne 26. 04. 21 v 16:23 Takashi Iwai napsal(a): > On Mon, 26 Apr 2021 15:11:29 +0200, > Lv Yunlong wrote: >> >> Our code analyzer reported a uaf. >> >> In snd_emu8000_create_mixer, the callee snd_ctl_add(..,emu->controls[i]) >> calls snd_ctl_add_replace(.., kcontrol,..). Inside snd_ctl_add_replace(), >> if error happens, kcontrol will be freed by snd_ctl_free_one(kcontrol). >> Then emu->controls[i] points to a freed memory, and the execution comes >> to __error branch of snd_emu8000_create_mixer. The freed emu->controls[i] >> is used in snd_ctl_remove(card, emu->controls[i]). >> >> My patch set emu->controls[i] to NULL if snd_ctl_add() failed to avoid >> the uaf. >> >> Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx> > > Thanks, applied now. > > The bug was hard to be seen due to the coding style, so we'd need a > cleanup, but it's a different story... Yes, it would be better to assign the return value from snd_ctl_new1 to a local variable and set emu->controls[i] only when everything succeeds. Jaroslav -- Jaroslav Kysela <perex@xxxxxxxx> Linux Sound Maintainer; ALSA Project; Red Hat, Inc.