2eabc5ec8a
The snd_seq_ioctl_get_subscription() retrieves the port subscriber information as a pointer, while the object isn't protected, hence it may be deleted before the actual reference. This race was spotted by syzkaller and may lead to a UAF. The fix is simply copying the data in the lookup function that performs in the rwsem to protect against the deletion. Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| oss | ||
| seq | ||
| Kconfig | ||
| Makefile | ||
| compress_offload.c | ||
| control.c | ||
| control_compat.c | ||
| ctljack.c | ||
| device.c | ||
| hrtimer.c | ||
| hwdep.c | ||
| hwdep_compat.c | ||
| info.c | ||
| info_oss.c | ||
| init.c | ||
| isadma.c | ||
| jack.c | ||
| memalloc.c | ||
| memory.c | ||
| misc.c | ||
| pcm.c | ||
| pcm_compat.c | ||
| pcm_dmaengine.c | ||
| pcm_drm_eld.c | ||
| pcm_iec958.c | ||
| pcm_lib.c | ||
| pcm_local.h | ||
| pcm_memory.c | ||
| pcm_misc.c | ||
| pcm_native.c | ||
| pcm_param_trace.h | ||
| pcm_timer.c | ||
| pcm_trace.h | ||
| rawmidi.c | ||
| rawmidi_compat.c | ||
| seq_device.c | ||
| sgbuf.c | ||
| sound.c | ||
| sound_oss.c | ||
| timer.c | ||
| timer_compat.c | ||
| vmaster.c | ||