ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
authorTakashi Iwai <tiwai@suse.de>
Sat, 10 Mar 2018 22:04:23 +0000 (23:04 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 22 Mar 2018 08:17:59 +0000 (09:17 +0100)
commit238ba452eb4bbd6378f9d4857e0532a806b79013
tree3ccc770e1d8f7da6c1559ff8b7c712cbc47646e3
parent8f6cfbea4e1621f078a08dfb2b444162ba2f7441
ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()

commit 01c0b4265cc16bc1f43f475c5944c55c10d5768f upstream.

snd_pcm_oss_get_formats() has an obvious use-after-free around
snd_mask_test() calls, as spotted by syzbot.  The passed format_mask
argument is a pointer to the hw_params object that is freed before the
loop.  What a surprise that it has been present since the original
code of decades ago...

Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sound/core/oss/pcm_oss.c