]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit
projects / mirror_ubuntu-bionic-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e62b922) | patch
ALSA: rawmidi: Change resized buffers atomically
authorTakashi Iwai <tiwai@suse.de>
Fri, 23 Nov 2018 07:28:35 +0000 (02:28 -0500)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Thu, 6 Dec 2018 13:43:20 +0000 (14:43 +0100)
commit8ae7cdc79d11418cbdbf285167cec8839ac888f3
tree61bb84019623eb875ab71e8442a9a4cf14c90903tree
parente62b922413b07d76cb0b482297c83389aa30ec11commit | diff
ALSA: rawmidi: Change resized buffers atomically

CVE-2018-10902

The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
current code is racy.  For example, the sequencer client may write to
buffer while it being resized.

As a simple workaround, let's switch to the resized buffer inside the
stream runtime lock.

Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
Acked-by: Kleber Souza <kleber.souza@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
sound/core/rawmidi.c diff | blob | blame | history
ubuntu-bionic-kernel mirror