diff options
Diffstat (limited to 'alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch')
| -rw-r--r-- | alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch deleted file mode 100644 index 73e65ec..0000000 --- a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Takashi Iwai <tiwai@suse.de> -Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200) -Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd - -ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() - -The error handling in snd_seq_oss_open() has several bad codes that -do dereferecing released pointers and double-free of kmalloc'ed data. -The object dp is release in free_devinfo() that is called via -private_free callback. The rest shouldn't touch this object any more. - -The patch changes delete_port() to call kfree() in any case, and gets -rid of unnecessary calls of destructors in snd_seq_oss_open(). - -Fixes CVE-2010-3080. - -Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com> -Cc: <stable@kernel.org> -Signed-off-by: Takashi Iwai <tiwai@suse.de> ---- - -diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c -index 6857122..69cd7b3 100644 ---- a/sound/core/seq/oss/seq_oss_init.c -+++ b/sound/core/seq/oss/seq_oss_init.c -@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level) - return 0; - - _error: -- snd_seq_oss_writeq_delete(dp->writeq); -- snd_seq_oss_readq_delete(dp->readq); - snd_seq_oss_synth_cleanup(dp); - snd_seq_oss_midi_cleanup(dp); -- delete_port(dp); - delete_seq_queue(dp->queue); -- kfree(dp); -+ delete_port(dp); - - return rc; - } -@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp) - static int - delete_port(struct seq_oss_devinfo *dp) - { -- if (dp->port < 0) -+ if (dp->port < 0) { -+ kfree(dp); - return 0; -+ } - - debug_printk(("delete_port %i\n", dp->port)); - return snd_seq_event_port_detach(dp->cseq, dp->port); |