• T
    ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() · 01c0b426
    Takashi Iwai 提交于
    snd_pcm_oss_get_formats() has an obvious use-after-free around
    snd_mask_test() calls, as spotted by syzbot.  The passed format_mask
    argument is a pointer to the hw_params object that is freed before the
    loop.  What a surprise that it has been present since the original
    code of decades ago...
    
    Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: NTakashi Iwai <tiwai@suse.de>
    01c0b426
pcm_oss.c 84.1 KB