On Tue, 05 Dec 2017 20:29:07 +0100, Kees Cook wrote: > > On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai <tiwai@xxxxxxx> wrote: > > On Tue, 05 Dec 2017 18:16:55 +0100, > > Nick Desaulniers wrote: > >> > >> From: Robb Glasser <rglasser@xxxxxxxxxx> > >> > >> When the device descriptor is closed, the `substream->runtime` pointer > >> is freed. But another thread may be in the ioctl handler, case > >> SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which > >> calls snd_pcm_info() which accesses the now freed `substream->runtime`. > >> > >> Signed-off-by: Robb Glasser <rglasser@xxxxxxxxxx> > >> Signed-off-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx> > > > > Looks reasonable. Applied with Cc to stable now. > > FWIW, this was assigned CVE-2017-0861. (Best to get it into the commit > log if possible.) OK, I updated the changelog. Thanks for information. Takashi _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
