This is a note to let you know that I've just added the patch titled
ALSA: pcm: prevent UAF in snd_pcm_info
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001
From: Robb Glasser <rglasser@xxxxxxxxxx>
Date: Tue, 5 Dec 2017 09:16:55 -0800
Subject: ALSA: pcm: prevent UAF in snd_pcm_info
From: Robb Glasser <rglasser@xxxxxxxxxx>
commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.
When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.
Note: this fixes CVE-2017-0861
Signed-off-by: Robb Glasser <rglasser@xxxxxxxxxx>
Signed-off-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/core/pcm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -153,7 +153,9 @@ static int snd_pcm_control_ioctl(struct
err = -ENXIO;
goto _error;
}
+ mutex_lock(&pcm->open_mutex);
err = snd_pcm_info_user(substream, info);
+ mutex_unlock(&pcm->open_mutex);
_error:
mutex_unlock(®ister_mutex);
return err;
Patches currently in stable-queue which might be from rglasser@xxxxxxxxxx are
queue-4.14/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch