Description of problem:
There is a bug in snd_seq_oss_open from sound/core/seq/oss/seq_oss_init.c. So here's the error path for some setup failure:
This looks okay, but actually, delete_port calls port_delete (eventually...
this code is tough to follow) which does a free_devinfo on the owner struct
seq_oss_devinfo, here (around ~269 in seq_ports.c):
because of this (around ~334 in seq_oss_init.c):
memset(&callback, 0, sizeof(callback));
callback.owner = THIS_MODULE;
callback.private_data = dp;
callback.event_input = snd_seq_oss_event_input;
callback.private_free = free_devinfo;
port.kernel = &callback;
Which does this:
struct seq_oss_devinfo *dp = (struct seq_oss_devinfo *)private;
delete_seq_queue(dp->queue); <= Oops, dereferencing released pointer.
kfree(dp); <= Oops, double free.
Red Hat would like to thank Tavis Ormandy for reporting this issue.
This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem. It did not affect Red Hat Enterprise MRG as the /dev/sequencer device file is restricted to root access only.
Now merged upstream:
Fixed in 188.8.131.52, 184.108.40.206 and 220.127.116.11
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html