1
linux/sound/core
Takashi Iwai 27f7ad5382 ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
The error handling in snd_seq_oss_open() has several bad codes that
do dereferecing released pointers and double-free of kmalloc'ed data.
The object dp is release in free_devinfo() that is called via
private_free callback.  The rest shouldn't touch this object any more.

The patch changes delete_port() to call kfree() in any case, and gets
rid of unnecessary calls of destructors in snd_seq_oss_open().

Fixes CVE-2010-3080.

Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-09-08 10:45:34 +02:00
..
oss ALSA: core - Define llseek fops 2010-04-13 12:01:21 +02:00
seq ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() 2010-09-08 10:45:34 +02:00
control_compat.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
control.c ALSA: core - Define llseek fops 2010-04-13 12:01:21 +02:00
device.c ALSA: Print function symbol in the error messages 2008-10-16 16:17:30 +02:00
hrtimer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hwdep_compat.c [PATCH] hwdep_compat missed __user annotations 2006-10-10 15:37:21 -07:00
hwdep.c ALSA: hwdep - Make open callback optional 2009-02-05 09:10:20 +01:00
info_oss.c ALSA: Kill snd_assert() in sound/core/* 2008-08-13 11:46:35 +02:00
info.c ALSA: info - Implement common llseek for binary mode 2010-04-13 12:01:20 +02:00
init.c ALSA: Remove struct snd_monitor_file from public sound/core.h 2009-09-07 15:50:18 +02:00
isadma.c ALSA: snd_dma_pointer workaround for chipsets with buggy DMA 2009-10-11 18:03:13 +02:00
jack.c Merge branch 'topic/jack' into for-linus 2010-05-20 11:59:37 +02:00
Kconfig ALSA: sound/core/pcm_timer.c: use lib/gcd.c 2009-12-22 08:24:35 +01:00
Makefile ALSA: Fix SG-buffer DMA with non-coherent architectures 2009-07-08 14:20:20 +02:00
memalloc.c ALSA: Fix SG-buffer DMA with non-coherent architectures 2009-07-08 14:20:20 +02:00
memory.c [ALSA] Remove sound/driver.h 2008-01-31 17:29:48 +01:00
misc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_compat.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_lib.c ALSA: pcm core - add a safe check to the silence filling function 2010-07-19 16:47:01 +02:00
pcm_memory.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_misc.c ALSA: pcm: Define G723 3-bit and 5-bit formats 2010-05-31 09:10:03 +02:00
pcm_native.c ALSA: emu10k1 - delay the PCM interrupts (add pcm_irq_delay parameter) 2010-08-18 15:10:59 +02:00
pcm_timer.c ALSA: sound/core/pcm_timer.c: use lib/gcd.c 2009-12-22 08:24:35 +01:00
pcm.c ALSA: pcm: add more format names 2010-08-28 11:59:33 +02:00
rawmidi_compat.c
rawmidi.c ALSA: core - Define llseek fops 2010-04-13 12:01:21 +02:00
rtctimer.c ALSA: hda - Convert from takslet_hi_schedule() to tasklet_schedule() 2008-12-18 12:17:55 +01:00
sgbuf.c ALSA: Fix vunmap and free order in snd_free_sgbuf_pages() 2009-03-18 08:04:01 +01:00
sound_oss.c ALSA: Remove warning message for invalid OSS minor ranges 2010-01-18 14:18:55 +01:00
sound.c ALSA: Remove BKL from open multiplexer 2010-04-09 10:28:36 +02:00
timer_compat.c ALSA: Kill snd_assert() in sound/core/* 2008-08-13 11:46:35 +02:00
timer.c Merge branch 'topic/core-cleanup' into for-linus 2010-05-20 11:58:57 +02:00
vmaster.c ALSA: Add new TLV types for dBwith min/max 2009-06-17 10:56:53 +02:00