Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, 05 Dec 2017 20:29:07 +0100, Kees Cook wrote: > > On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai wrote: > > On Tue, 05 Dec 2017 18:16:55 +0100, > > Nick Desaulniers wrote: > >> > >> From: Robb Glasser > >> > >> When the device descriptor is closed, the

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, 05 Dec 2017 20:29:07 +0100, Kees Cook wrote: > > On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai wrote: > > On Tue, 05 Dec 2017 18:16:55 +0100, > > Nick Desaulniers wrote: > >> > >> From: Robb Glasser > >> > >> When the device descriptor is closed, the `substream->runtime` pointer > >> is

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai wrote: > On Tue, 05 Dec 2017 18:16:55 +0100, > Nick Desaulniers wrote: >> >> From: Robb Glasser >> >> When the device descriptor is closed, the `substream->runtime` pointer >> is freed. But another thread may be in

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai wrote: > On Tue, 05 Dec 2017 18:16:55 +0100, > Nick Desaulniers wrote: >> >> From: Robb Glasser >> >> When the device descriptor is closed, the `substream->runtime` pointer >> is freed. But another thread may be in the ioctl handler, case >>

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, 05 Dec 2017 18:16:55 +0100, Nick Desaulniers wrote: > > From: Robb Glasser > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, 05 Dec 2017 18:16:55 +0100, Nick Desaulniers wrote: > > From: Robb Glasser > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which >

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, Dec 05, 2017 at 09:19:32AM -0800, Nick Desaulniers wrote: > + stable > > On Tue, Dec 5, 2017 at 9:16 AM, Nick Desaulniers > wrote: > > From: Robb Glasser > > > > When the device descriptor is closed, the `substream->runtime` pointer > > is

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

On Tue, Dec 05, 2017 at 09:19:32AM -0800, Nick Desaulniers wrote: > + stable > > On Tue, Dec 5, 2017 at 9:16 AM, Nick Desaulniers > wrote: > > From: Robb Glasser > > > > When the device descriptor is closed, the `substream->runtime` pointer > > is freed. But another thread may be in the ioctl

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

+ stable On Tue, Dec 5, 2017 at 9:16 AM, Nick Desaulniers wrote: > From: Robb Glasser > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case >

Re: [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

+ stable On Tue, Dec 5, 2017 at 9:16 AM, Nick Desaulniers wrote: > From: Robb Glasser > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which

[PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

From: Robb Glasser When the device descriptor is closed, the `substream->runtime` pointer is freed. But another thread may be in the ioctl handler, case SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which calls snd_pcm_info() which accesses the now freed

[PATCH] ALSA: pcm: prevent UAF in snd_pcm_info

From: Robb Glasser When the device descriptor is closed, the `substream->runtime` pointer is freed. But another thread may be in the ioctl handler, case SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which calls snd_pcm_info() which accesses the now freed `substream->runtime`.