Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3693115pxy; Mon, 26 Apr 2021 07:40:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhhFhOrNuo2A3YQe7FdseyhG3fs/sZ2T0A2fXcRVfyqJD/MjYCMS+VQNvE15y1vnEb+tFY X-Received: by 2002:a17:90a:ea11:: with SMTP id w17mr8653574pjy.6.1619448051377; Mon, 26 Apr 2021 07:40:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619448051; cv=none; d=google.com; s=arc-20160816; b=nZPDxE6vLB02EQe1/4CA9LXkcsoj7FU83Pz4FoP4JXPzcFL/oGxcQ1ny8s/QZb8BSN +MzgQrbHt1xll1FXRwIpv4MTBbifFHYZ8w2z6zyReTV7WVrymzU2AyTWSZlR6E8UUJHC 13CsguoGs3C9de4VK67ksrpHkxRAKx23YsfIUiKvMPwI/6l6l2hYWjFoeBjCpkXT/ZGt W6DC9cfvZwK00LI8cVp8tJr0WU5lxIiX2n1EIZCiqNfAVub7oXyNT5VcjtTME1u9fI0a xCxOt5gntFWuW0otoy3a5u5pS/VCz9xMY+yGGRazgAhbe7496D5KuXqse5Io/xcCzl6O +7PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature:dkim-filter; bh=6XnVk6uucelw2ilTlLHMXVhROA8TS7AQk5AvvyBmftc=; b=a1MR8IC53HvpMn7MSntksTSSac59gQYDea5R+EIG68TxHzVW5CuSzYMDNJeifDgbKv JFh0jMnmRaWFKYJAHw202moIV2VgF9zRi9j3m0TAMMn8D3nphDzH2W6TvGqn1hxHSOfY ce6Y5zfVg2TxeuDvJW3nlyRDk9RH7cRYgalJ0ZyHYC56yK7ndH3K/L82NfNitpvogYqU T3VYB/PHsBUMiiCuTfNyXM6i2+fGIzs5MxXRmzazxVgxpveemBqzxdqjvbetefLx/cNG Ut3Myf7o0PyHU9uEJScxCoG/bkfSbIVpU81/SKuHYaxomEapbPhXz4ushUsYMbSicbrl jL0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perex.cz header.s=default header.b="gUvHkg/f"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=perex.cz Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z28si23124429pgc.63.2021.04.26.07.40.39; Mon, 26 Apr 2021 07:40:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@perex.cz header.s=default header.b="gUvHkg/f"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=perex.cz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233792AbhDZOje (ORCPT + 99 others); Mon, 26 Apr 2021 10:39:34 -0400 Received: from mail1.perex.cz ([77.48.224.245]:32850 "EHLO mail1.perex.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233825AbhDZOjd (ORCPT ); Mon, 26 Apr 2021 10:39:33 -0400 Received: from mail1.perex.cz (localhost [127.0.0.1]) by smtp1.perex.cz (Perex's E-mail Delivery System) with ESMTP id 4AFD9A0040; Mon, 26 Apr 2021 16:38:47 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.perex.cz 4AFD9A0040 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perex.cz; s=default; t=1619447927; bh=6XnVk6uucelw2ilTlLHMXVhROA8TS7AQk5AvvyBmftc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=gUvHkg/fJ+SwnkMUGiKgRcGrnu4U+4zEClSjWG12Pnr11QJyoYrjrsW+er01XwtWu fz/3d2Em5SXNQWyw3dgTLQktu0rbY8BNbiGCDoOtcp2UfHlENf6bIikAshuKOq8Gmi efyXknkBXi+JOSeotQadSw/YGYEjOdW02TeMeGvE= Received: from p1gen2.localdomain (unknown [192.168.100.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: perex) by mail1.perex.cz (Perex's E-mail Delivery System) with ESMTPSA; Mon, 26 Apr 2021 16:38:42 +0200 (CEST) Subject: Re: [PATCH] sound/isa/sb/emu8000: Fix a use after free in snd_emu8000_create_mixer To: Takashi Iwai , Lv Yunlong Cc: tiwai@suse.com, alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org References: <20210426131129.4796-1-lyl2019@mail.ustc.edu.cn> From: Jaroslav Kysela Message-ID: Date: Mon, 26 Apr 2021 16:38:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Dne 26. 04. 21 v 16:23 Takashi Iwai napsal(a): > On Mon, 26 Apr 2021 15:11:29 +0200, > Lv Yunlong wrote: >> >> Our code analyzer reported a uaf. >> >> In snd_emu8000_create_mixer, the callee snd_ctl_add(..,emu->controls[i]) >> calls snd_ctl_add_replace(.., kcontrol,..). Inside snd_ctl_add_replace(), >> if error happens, kcontrol will be freed by snd_ctl_free_one(kcontrol). >> Then emu->controls[i] points to a freed memory, and the execution comes >> to __error branch of snd_emu8000_create_mixer. The freed emu->controls[i] >> is used in snd_ctl_remove(card, emu->controls[i]). >> >> My patch set emu->controls[i] to NULL if snd_ctl_add() failed to avoid >> the uaf. >> >> Signed-off-by: Lv Yunlong > > Thanks, applied now. > > The bug was hard to be seen due to the coding style, so we'd need a > cleanup, but it's a different story... Yes, it would be better to assign the return value from snd_ctl_new1 to a local variable and set emu->controls[i] only when everything succeeds. Jaroslav -- Jaroslav Kysela Linux Sound Maintainer; ALSA Project; Red Hat, Inc.