On Sat, 27 Sep 2025 10:48:02 +0200, Jeongjun Park wrote:
Hi,
Takashi Iwai tiwai@suse.de wrote:
On Sat, 27 Sep 2025 06:41:06 +0200, Jeongjun Park wrote:
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely.
Therefore, to prevent this, the error timer must be killed before freeing the heap memory.
Cc: stable@vger.kernel.org Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park aha310510@gmail.com
I suppose it's a fix for the recent syzbot reports? https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
Oh, I didn't know it was already reported on syzbot.
I had the very same fix in mind, as posted in https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de so I'll happily apply if that's the case (and it was verified to work). I'm just back from vacation and trying to catch up things.
Although it's difficult to disclose right now, I have already completed writing a PoC that triggers a UAF due to the error timer in a slightly different way than the backtrace reported to syzbot, and I have confirmed that no bugs occur when testing this patch through this PoC.
OK, so this sounds like a coincidence, but it's very likely the same issue, so I'm going to put mark those syzbot reports.
thanks,
Takashi