superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/sound/core
History
Cássio Gabriel 4cc54bdd54 ALSA: pcm: oss: Fix setup list UAF on proc write error 
snd_pcm_oss_proc_write() links a newly allocated setup entry into the
OSS setup list before duplicating the task name. If the task-name
allocation fails, the error path frees the already linked entry and
leaves setup_list pointing at freed memory.

A later OSS device open can then walk the stale list entry in
snd_pcm_oss_look_for_setup() and dereference freed memory.

Allocate the task name and initialize the setup entry before publishing
the entry on setup_list. Also fetch the initial proc read iterator only
after taking setup_mutex, so all setup_list traversal follows the same
list lifetime rules.

Reported-by: syzbot+8e498074a794999eb41c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6a1062b7.170a0220.35b2b7.0003.GAE@google.com
Closes: https://syzkaller.appspot.com/bug?extid=8e498074a794999eb41c
Fixes: 060d77b9c0 ("[ALSA] Fix / clean up PCM-OSS setup hooks")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260522-alsa-pcm-oss-setup-uaf-v1-1-40bdcc4d17e8@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
 		2026-05-25 09:23:10 +02:00
..
oss ALSA: pcm: oss: Fix setup list UAF on proc write error 2026-05-25 09:23:10 +02:00
seq ALSA: seq: Serialize UMP output teardown with event_input 2026-05-20 13:10:40 +02:00
.kunitconfig ALSA: core: add kunitconfig 2024-03-17 09:36:45 +01:00
Kconfig ALSA: Do not build obsolete API 2025-12-07 13:15:59 +01:00
Makefile ALSA: control: Verify put() result when in debug mode 2026-02-28 09:32:39 +01:00
compress_offload.c ALSA: compress: Pay attention if drivers error out retrieving pointers 2026-04-02 11:10:28 +02:00
control.c ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() 2026-04-14 15:31:10 +02:00
control_compat.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
control_led.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
control_trace.h ALSA: control: Verify put() result when in debug mode 2026-02-28 09:32:39 +01:00
ctljack.c ALSA: jack: Improve string handling in jack_kctl_name_gen 2026-01-27 09:58:37 +01:00
device.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hrtimer.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hwdep.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hwdep_compat.c
info.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
info_oss.c ALSA: info: Use guard() for locking 2024-02-28 15:01:21 +01:00
init.c ALSA: control: Verify put() result when in debug mode 2026-02-28 09:32:39 +01:00
isadma.c
jack.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
memalloc.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
memory.c ALSA: Align the syntax of iov_iter helpers with standard ones 2024-12-30 12:50:04 +01:00
misc.c ALSA: core: Serialize deferred fasync state checks 2026-05-06 10:07:36 +02:00
pcm.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_compat.c ALSA: pcm: Use pcm_lib_apply_appl_ptr() in x32 sync_ptr 2026-03-27 14:40:24 +01:00
pcm_dmaengine.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_drm_eld.c ALSA: pcm_drm_eld: rate-limit ELD parsing errors 2026-05-16 16:20:07 +02:00
pcm_iec958.c
pcm_lib.c ALSA: pcm: Don't setup bogus iov_iter for silencing 2026-05-17 21:49:47 +02:00
pcm_local.h ALSA: pcm: Revert "ALSA: pcm: rewrite snd_pcm_playback_silence()" 2023-05-05 18:23:48 +02:00
pcm_memory.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_misc.c ALSA: core: Add SPDX license id to files 2026-02-18 08:52:08 +01:00
pcm_native.c Merge branch 'for-linus' into for-next 2026-04-01 14:43:00 +02:00
pcm_param_trace.h
pcm_timer.c ALSA: pcm_timer: use snd_pcm_direction_name() 2024-08-01 12:50:13 +02:00
pcm_trace.h tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
rawmidi.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rawmidi_compat.c ALSA: rawmidi: Replace with __packed attribute 2023-10-26 09:42:55 +02:00
seq_device.c ALSA: seq: Refuse to probe seq drivers with non-bus probe or remove 2025-12-14 11:08:10 +01:00
sound.c ALSA: core: Validate compress device numbers without dynamic minors 2026-03-28 10:55:35 +01:00
sound_kunit.c ALSA: core: Fix possible NULL dereference caused by kunit_kzalloc() 2024-11-27 08:06:31 +01:00
sound_oss.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
timer.c ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register() 2026-05-19 07:38:54 +02:00
timer_compat.c ALSA: timer: Use guard() for locking 2024-02-28 15:01:20 +01:00
ump.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
ump_convert.c ALSA: ump: Explicitly reset RPN with Null RPN 2024-07-31 15:08:39 +02:00
vmaster.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00