From: Takashi Iwai Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200) Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() X-Git-Tag: v2.6.35.5~75 X-Git-Url: https://git.fsl.cs.sunysb.edu/?a=commitdiff_plain;h=7ab99e2ebb57576e1e853e9de18f242558196f6f;p=unionfs-2.6.39.y.git ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() commit 27f7ad53829f79e799a253285318bff79ece15bd upstream. The error handling in snd_seq_oss_open() has several bad codes that do dereferecing released pointers and double-free of kmalloc'ed data. The object dp is release in free_devinfo() that is called via private_free callback. The rest shouldn't touch this object any more. The patch changes delete_port() to call kfree() in any case, and gets rid of unnecessary calls of destructors in snd_seq_oss_open(). Fixes CVE-2010-3080. Reported-and-tested-by: Tavis Ormandy Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c index 685712276ac..69cd7b3c362 100644 --- a/sound/core/seq/oss/seq_oss_init.c +++ b/sound/core/seq/oss/seq_oss_init.c @@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level) return 0; _error: - snd_seq_oss_writeq_delete(dp->writeq); - snd_seq_oss_readq_delete(dp->readq); snd_seq_oss_synth_cleanup(dp); snd_seq_oss_midi_cleanup(dp); - delete_port(dp); delete_seq_queue(dp->queue); - kfree(dp); + delete_port(dp); return rc; } @@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp) static int delete_port(struct seq_oss_devinfo *dp) { - if (dp->port < 0) + if (dp->port < 0) { + kfree(dp); return 0; + } debug_printk(("delete_port %i\n", dp->port)); return snd_seq_event_port_detach(dp->cseq, dp->port);