On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai <[email protected]> wrote: > On Tue, 05 Dec 2017 18:16:55 +0100, > Nick Desaulniers wrote: >> >> From: Robb Glasser <[email protected]> >> >> When the device descriptor is closed, the `substream->runtime` pointer >> is freed. But another thread may be in the ioctl handler, case >> SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which >> calls snd_pcm_info() which accesses the now freed `substream->runtime`. >> >> Signed-off-by: Robb Glasser <[email protected]> >> Signed-off-by: Nick Desaulniers <[email protected]> > > Looks reasonable. Applied with Cc to stable now.
FWIW, this was assigned CVE-2017-0861. (Best to get it into the commit log if possible.) -Kees > > > thanks, > > Takashi > >> --- >> sound/core/pcm.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/sound/core/pcm.c b/sound/core/pcm.c >> index 9070f277f8db..09ee8c6b9f75 100644 >> --- a/sound/core/pcm.c >> +++ b/sound/core/pcm.c >> @@ -153,7 +153,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, >> err = -ENXIO; >> goto _error; >> } >> + mutex_lock(&pcm->open_mutex); >> err = snd_pcm_info_user(substream, info); >> + mutex_unlock(&pcm->open_mutex); >> _error: >> mutex_unlock(®ister_mutex); >> return err; >> -- >> 2.15.0.531.g2ccb3012c9-goog >> >> -- Kees Cook Pixel Security
