summaryrefslogtreecommitdiff
path: root/certs
diff options
context:
space:
mode:
authorLv Yunlong <lyl2019@mail.ustc.edu.cn>2021-04-26 17:55:41 +0300
committerTakashi Iwai <tiwai@suse.de>2021-04-26 19:01:07 +0300
commit4fb44dd2c1dda18606348acdfdb97e8759dde9df (patch)
tree4df776bf00dc1d1d50a1214ad5ab0562009ccb3f /certs
parent0301201b7181a927b59421097a01ee98683aa67c (diff)
downloadlinux-4fb44dd2c1dda18606348acdfdb97e8759dde9df.tar.xz
ALSA: sb: Fix two use after free in snd_sb_qsound_build
In snd_sb_qsound_build, snd_ctl_add(..,p->qsound_switch...) and snd_ctl_add(..,p->qsound_space..) are called. But the second arguments of snd_ctl_add() could be freed via snd_ctl_add_replace() ->snd_ctl_free_one(). After the error code is returned, snd_sb_qsound_destroy(p) is called in __error branch. But in snd_sb_qsound_destroy(), the freed p->qsound_switch and p->qsound_space are still used by snd_ctl_remove(). My patch set p->qsound_switch and p->qsound_space to NULL if snd_ctl_add() failed to avoid the uaf bugs. But these codes need to further be improved with the code style. Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20210426145541.8070-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'certs')
0 files changed, 0 insertions, 0 deletions