anthias: audio: security patch for CVE-2016-2544, CVE-2016-2546 and CVE-2014-9904
ALSA: seq: Fix race at timer setup and close ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by:Dmitry Vyukov <dvyukov@google.com> Tested-by:
Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by:
Takashi Iwai <tiwai@suse.de> ALSA: timer: Fix race among timer ioctls ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by:
Dmitry Vyukov <dvyukov@google.com> Tested-by:
Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by:
Takashi Iwai <tiwai@suse.de> ALSA: compress: fix an integer overflow check I previously added an integer overflow check here but looking at it now, it's still buggy. The bug happens in snd_compr_allocate_buffer(). We multiply ".fragments" and ".fragment_size" and that doesn't overflow but then we save it in an unsigned int so it truncates the high bits away and we allocate a smaller than expected size. Change-Id: I39d409a8f737c83880bc7f1383dc066c3afb1beb Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248049 Reviewed-by:
Carol_Jiang <carol_jiang@asus.com> Tested-by:
Carol_Jiang <carol_jiang@asus.com>
Please register or sign in to comment