• Takashi Iwai's avatar
    ALSA: seq: Fix racy pool initializations · d15d662e
    Takashi Iwai authored
    ALSA sequencer core initializes the event pool on demand by invoking
    snd_seq_pool_init() when the first write happens and the pool is
    empty.  Meanwhile user can reset the pool size manually via ioctl
    concurrently, and this may lead to UAF or out-of-bound accesses since
    the function tries to vmalloc / vfree the buffer.
    
    A simple fix is to just wrap the snd_seq_pool_init() call with the
    recently introduced client->ioctl_mutex; as the calls for
    snd_seq_pool_init() from other side are always protected with this
    mutex, we can avoid the race.
    Reported-by: default avatar范龙飞 <long7573@126.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    d15d662e
seq_clientmgr.c 65.7 KB