Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 0d7252d33dcb8e79d3d46da96e43ce3d56f29c2e
commit0d7252d33dcb8e79d3d46da96e43ce3d56f29c2e[log] [tgz]
authorTakashi Iwai <tiwai@suse.de>Mon Mar 05 22:00:55 2018 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Sun Mar 18 11:18:51 2018 +0100
treedb96431554e5c111cede6f29b5432ac1f10e66df
parent5191f41745f84eee6f95dd834635dcb83a36926e [diff]
ALSA: seq: Don't allow resizing pool in use

commit d85739367c6d56e475c281945c68fdb05ca74b4c upstream.

This is a fix for a (sort of) fallout in the recent commit
d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for
CVE-2018-1000004.
As the pool resize deletes the existing cells, it may lead to a race
when another thread is writing concurrently, eventually resulting a
UAF.

A simple workaround is not to allow the pool resizing when the pool is
in use.  It's an invalid behavior in anyway.

Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
Reported-by: 范龙飞 <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: db96431554e5c111cede6f29b5432ac1f10e66df
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS