Linux Kernel ALSA PCM OSS Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's Advanced Linux Sound Architecture (ALSA) subsystem, specifically within the PCM OSS interface. This vulnerability arises in the 'snd_pcm_oss_sync()' function, which is invoked by the OSS PCM 'SNDCTL_DSP_SYNC' ioctl. The issue occurs because 'snd_pcm_oss_sync()' first calls 'snd_pcm_oss_make_ready()', and then acquires the 'params_lock' mutex. If another thread re-establishes the stream in between these actions, it can create an inconsistency. This may lead to unexpected outcomes, such as a NULL dereference of the OSS buffer, a scenario recently highlighted by a fuzzer.

Impact

Exploitation of this vulnerability can cause a NULL pointer dereference, leading to a crash of the ALSA OSS PCM subsystem.

Remediation

The vulnerability has been addressed by modifying the 'snd_pcm_oss_make_ready()' call to use the 'snd_pcm_oss_make_ready_locked()' variant, ensuring it operates within the same 'params_lock' mutex. Users should upgrade to the latest version of the Linux kernel where this fix is applied.