Re: [PATCH] ALSA: pcm: oss: Fix setup list UAF on proc write error

Next message: Wachowski, Karol: "Re: [PATCH] accel/ivpu: prevent uninitialized data bug in debugfs"
Previous message: Tom Gebhardt: "Re: [PATCH v2 00/13] sched/fair/schedutil: Better manage system response time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Mon May 25 2026 - 03:25:31 EST

On Sat, 23 May 2026 03:09:40 +0200,
Cássio Gabriel wrote:
>
> snd_pcm_oss_proc_write() links a newly allocated setup entry into the
> OSS setup list before duplicating the task name. If the task-name
> allocation fails, the error path frees the already linked entry and
> leaves setup_list pointing at freed memory.
>
> A later OSS device open can then walk the stale list entry in
> snd_pcm_oss_look_for_setup() and dereference freed memory.
>
> Allocate the task name and initialize the setup entry before publishing
> the entry on setup_list. Also fetch the initial proc read iterator only
> after taking setup_mutex, so all setup_list traversal follows the same
> list lifetime rules.
>
> Reported-by: syzbot+8e498074a794999eb41c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://lore.kernel.org/all/6a1062b7.170a0220.35b2b7.0003.GAE@xxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=8e498074a794999eb41c
> Fixes: 060d77b9c04a ("[ALSA] Fix / clean up PCM-OSS setup hooks")
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>

Applied now. Thanks.

Takashi