[PATCH] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
Jaroslav Kysela
perex at perex.cz
Mon Sep 5 09:01:56 CEST 2022
On 05. 09. 22 8:07, Takashi Iwai wrote:
> There is a small race window at snd_pcm_oss_sync() that is called from
> OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls
> snd_pcm_oss_make_ready() at first, then takes the params_lock mutex
> for the rest. When the stream is set up again by another thread
> between them, it leads to inconsistency, and may result in unexpected
> results such as NULL dereference of OSS buffer as a fuzzer spotted
> recently.
>
> The fix is simply to cover snd_pcm_oss_make_ready() call into the same
> params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
>
> Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx at gmail.com>
> Cc: <stable at vger.kernel.org>
> Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
Reviewed-by: Jaroslav Kysela <perex at perex.cz>
--
Jaroslav Kysela <perex at perex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
More information about the Alsa-devel
mailing list