Google Git
Sign in
chromium / chromiumos / third_party / kernel / 70a45c0200e3436587ed1a698927a387bbff1a7c
commit70a45c0200e3436587ed1a698927a387bbff1a7c[log] [tgz]
authorTakashi Iwai <tiwai@suse.de>Mon Mar 05 21:00:55 2018
committerchrome-bot <chrome-bot@chromium.org>Fri Apr 20 02:28:50 2018
treec13c3cac06e924b75b921c3b19b21f681a26008b
parentfb06ed187afa6e8adbce844ef2ded6745c5d44d8 [diff]
UPSTREAM: ALSA: seq: Don't allow resizing pool in use

This is a fix for a (sort of) fallout in the recent commit
d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for
CVE-2018-1000004.
As the pool resize deletes the existing cells, it may lead to a race
when another thread is writing concurrently, eventually resulting a
UAF.

A simple workaround is not to allow the pool resizing when the pool is
in use.  It's an invalid behavior in anyway.

BUG=834716
TEST=None

Change-Id: Ic2b9cb355273a12cd8657fe2d57ce8641edcbc1c
Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
Reported-by:  <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit d85739367c6d56e475c281945c68fdb05ca74b4c)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1019392
Reviewed-by: Guenter Roeck <groeck@chromium.org>
1 file changed
tree: c13c3cac06e924b75b921c3b19b21f681a26008b
  1. android/
  2. arch/
  3. block/
  4. chromeos/
  5. crypto/
  6. Documentation/
  7. drivers/
  8. firmware/
  9. fs/
  10. include/
  11. init/
  12. ipc/
  13. kernel/
  14. lib/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .gitignore
  25. .mailmap
  26. COMMIT-QUEUE.ini
  27. COPYING
  28. CREDITS
  29. Kbuild
  30. Kconfig
  31. MAINTAINERS
  32. Makefile
  33. PRESUBMIT.cfg
  34. README
  35. REPORTING-BUGS