git.baikalelectronics.ru Git - kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Thu, 30 Sep 2021 11:41:14 +0000 (13:41 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 20 Oct 2021 09:40:12 +0000 (11:40 +0200)
commit	d97d5bfae240fc3435ead4cba5207681fbdec149
tree	c5bb1300ed470db98b3a4a5dee8277bc9fab9f44	tree \| snapshot
parent	116c44f23405ef711068859bb60bfa4eda0845ce	commit \| diff

ALSA: seq: Fix a potential UAF by wrong private_free call order

commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream.

John Keeping reported and posted a patch for a potential UAF in
rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be
called after the associated rawmidi object got already freed.
After a deeper look, it turned out that the bug is rather the
incorrect private_free call order for a snd_seq_device. The
snd_seq_device private_free gets called at the release callback of the
sequencer device object, while this was rather expected to be executed
at the snd_device call chains that runs at the beginning of the whole
card-free procedure. It's been broken since the rewrite of
sequencer-device binding (although it hasn't surfaced because the
sequencer device release happens usually right along with the card
device release).

This patch corrects the private_free call to be done in the right
place, at snd_seq_device_dev_free().

Fixes: 343f01de38f4 ("ALSA: seq: Rewrite sequencer device binding with standard bus")
Reported-and-tested-by: John Keeping <john@metanate.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210930114114.8645-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>