diff options
| author | Takashi Iwai <tiwai@suse.de> | 2019-11-06 17:55:47 +0100 |
|---|---|---|
| committer | Todd Kjos <tkjos@google.com> | 2020-04-06 11:36:21 -0700 |
| commit | 6a8e9d45a7d303333c29b7ca58f91e406473da96 (patch) | |
| tree | 7c60d6c1e67a5b88b387e41e47a368a3636e7fe9 | |
| parent | 2104ee25e209d0de840df716f5636bd5609a8695 (diff) | |
ALSA: timer: Fix incorrectly assigned timer instanceASB-2020-04-05_4.9-q-release
commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream.
The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in
snd_timer_open()") unified the error handling code paths with the
standard goto, but it introduced a subtle bug: the timer instance is
stored in snd_timer_open() incorrectly even if it returns an error.
This may eventually lead to UAF, as spotted by fuzzer.
The culprit is the snd_timer_open() code checks the
SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri.
This variable is supposed to be the newly created instance, but we
(ab-)used it for a temporary check before the actual creation of a
timer instance. After that point, there is another check for the max
number of instances, and it bails out if over the threshold. Before
the refactoring above, it worked fine because the code returned
directly from that point. After the refactoring, however, it jumps to
the unified error path that stores the timeri variable in return --
even if it returns an error. Unfortunately this stored value is kept
in the caller side (snd_timer_user_tselect()) in tu->timeri. This
causes inconsistency later, as if the timer was successfully
assigned.
In this patch, we fix it by not re-using timeri variable but a
temporary variable for testing the exclusive connection, so timeri
remains NULL at that point.
Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()")
Reported-and-tested-by: Tristan Madani <tristmd@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | sound/core/timer.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sound/core/timer.c b/sound/core/timer.c index 19d90aa08218..e944d27f79c3 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -297,11 +297,11 @@ int snd_timer_open(struct snd_timer_instance **ti, goto unlock; } if (!list_empty(&timer->open_list_head)) { - timeri = list_entry(timer->open_list_head.next, + struct snd_timer_instance *t = + list_entry(timer->open_list_head.next, struct snd_timer_instance, open_list); - if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { + if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { err = -EBUSY; - timeri = NULL; goto unlock; } } |