summaryrefslogtreecommitdiffstats
path: root/drivers/md/md.c
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-03-10 23:04:23 +0100
committerTakashi Iwai <tiwai@suse.de>2018-03-11 10:25:10 +0100
commit01c0b4265cc16bc1f43f475c5944c55c10d5768f (patch)
tree1b6bcb6a25c2c4d73eb9f3247f63c84216f6a9bb /drivers/md/md.c
parentALSA: seq: Clear client entry before deleting else at closing (diff)
downloadlinux-01c0b4265cc16bc1f43f475c5944c55c10d5768f.tar.xz
linux-01c0b4265cc16bc1f43f475c5944c55c10d5768f.zip
ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
snd_pcm_oss_get_formats() has an obvious use-after-free around snd_mask_test() calls, as spotted by syzbot. The passed format_mask argument is a pointer to the hw_params object that is freed before the loop. What a surprise that it has been present since the original code of decades ago... Reported-by: syzbot+4090700a4f13fccaf648@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'drivers/md/md.c')
0 files changed, 0 insertions, 0 deletions