diff options
| author | Yingjoe Chen <yingjoe.chen@mediatek.com> | 2020-03-07 18:19:30 +0800 |
|---|---|---|
| committer | Darren Krahn <dkrahn@google.com> | 2020-03-16 18:55:08 -0700 |
| commit | 377d383de91c5cdfe11b1deaca2046b1b9969294 (patch) | |
| tree | 35d709b1421d2b58e48b7ae5aae1d18a401acfd5 | |
| parent | e8f4ba03b363136e84c8d8a86e2c285d6ebef45c (diff) | |
| download | mediatek-377d383de91c5cdfe11b1deaca2046b1b9969294.tar.gz | |
[ALPS05020298] ALSA: timer: Fix incorrectly assigned timer instanceandroid-o-mr1-iot-release-smart-display-r30
The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in
snd_timer_open()") unified the error handling code paths with the
standard goto, but it introduced a subtle bug: the timer instance is
stored in snd_timer_open() incorrectly even if it returns an error.
This may eventually lead to UAF, as spotted by fuzzer.
In this patch, we fix it by not re-using timeri variable but a
temporary variable for testing the exclusive connection, so timeri
remains NULL at that point.
Bug: 151000310
Change-Id: I9ce2d4b5d992ba76dda740caea1046efe0ff782c
Signed-off-by: chipeng chang <chipeng.chang@mediatek.com>
Signed-off-by: Yingjoe Chen <yingjoe.chen@mediatek.com>
CR-Id: ALPS05020298
Feature: [Module]Audio Kernel
(cherry-pick from b11912c59a9ff64e965bbb82137a70ae6144ce7e)
| -rw-r--r-- | sound/core/timer.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sound/core/timer.c b/sound/core/timer.c index 5a718b2d3c9a..f4864e028e30 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -279,9 +279,10 @@ int snd_timer_open(struct snd_timer_instance **ti, return -ENODEV; } if (!list_empty(&timer->open_list_head)) { - timeri = list_entry(timer->open_list_head.next, + struct snd_timer_instance *t = + list_entry(timer->open_list_head.next, struct snd_timer_instance, open_list); - if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { + if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { mutex_unlock(®ister_mutex); return -EBUSY; } |