linux/sound/pci/ctxfi
Julia Lawall fa2b30af84 ALSA: sound/pci/ctxfi/ctpcm.c: Remove potential for use after free
In each function, the value apcm is stored in the private_data field of
runtime.  At the same time the function ct_atc_pcm_free_substream is stored
in the private_free field of the same structure.  ct_atc_pcm_free_substream
dereferences and ultimately frees the value in the private_data field.  But
each function can exit in an error case with apcm having been freed, in
which case a subsequent call to the private_free function would perform a
dereference after free.  On the other hand, if the private_free field is
not initialized, it is NULL, and not invoked (see snd_pcm_detach_substream
in sound/core/pcm.c).  To avoid the introduction of a dangling pointer, the
initializations of the private_data and private_free fields are moved to
the end of the function, past any possible free of apcm.  This is safe
because the previous calls to snd_pcm_hw_constraint_integer and
snd_pcm_hw_constraint_minmax, which take runtime as an argument, do not
refer to either of these fields.

In each function, there is one error case where apcm needs to be freed, and
a call to kfree is added.

The sematic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression e,e1,e2,e3;
identifier f,free1,free2;
expression a;
@@

*e->f = a
... when != e->f = e1
    when any
if (...) {
  ... when != free1(...,e,...)
      when != e->f = e2
* kfree(a)
  ... when != free2(...,e,...)
      when != e->f = e3
}
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-11-11 02:03:00 +01:00
..
ct20k1reg.h ALSA: ctxfi - Use native timer interrupt on emu20k1 2009-06-05 16:44:13 +02:00
ct20k2reg.h ALSA: ctxfi - Native timer support for emu20k2 2009-07-20 13:41:35 +02:00
ctamixer.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
ctamixer.h
ctatc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ctatc.h ALSA: ctxfi - Add subsystem option 2010-01-14 09:23:10 +01:00
ctdaio.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
ctdaio.h
cthardware.c ALSA: ctxfi - Clean up probe routines 2009-06-08 18:10:32 +02:00
cthardware.h ALSA: ctxfi - Add PM support 2009-06-22 14:53:51 +02:00
cthw20k1.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
cthw20k1.h
cthw20k2.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
cthw20k2.h
ctimap.c ALSA: ctxfi - Remove useless initializations and cast 2009-06-08 14:57:57 +02:00
ctimap.h
ctmixer.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
ctmixer.h ALSA: ctxfi - Add PM support 2009-06-22 14:53:51 +02:00
ctpcm.c ALSA: sound/pci/ctxfi/ctpcm.c: Remove potential for use after free 2010-11-11 02:03:00 +01:00
ctpcm.h
ctresource.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
ctresource.h
ctsrc.c ALSA: ctxfi - Simple code clean up 2009-07-22 17:12:34 +02:00
ctsrc.h
cttimer.c ALSA: ctxfi - Fix deadlock with xfi-timer 2009-06-15 14:52:55 +02:00
cttimer.h ALSA: ctxfi - Use native timer interrupt on emu20k1 2009-06-05 16:44:13 +02:00
ctvmem.c ALSA: ctxfi - fix PTP address initialization 2010-02-04 21:48:00 +01:00
ctvmem.h ALSA: ctxfi - fix PTP address initialization 2010-02-04 21:48:00 +01:00
Makefile ALSA: ctxfi - Use native timer interrupt on emu20k1 2009-06-05 16:44:13 +02:00
xfi.c sound: use DEFINE_PCI_DEVICE_TABLE 2010-02-09 11:08:33 +01:00