From: Nicolai Stange <nstange@suse.de>
To: Takashi Iwai <tiwai@suse.de>
Cc: alsa-devel@alsa-project.org, "Miroslav Benes" <mbenes@suse.cz>,
范龙飞 <long7573@126.com>, "Nicolai Stange" <nstange@suse.de>
Subject: Re: [PATCH 1/2] ALSA: seq: Don't allow resizing pool in use
Date: Thu, 08 Mar 2018 11:44:47 +0100 [thread overview]
Message-ID: <87h8pqj17k.fsf@suse.de> (raw)
In-Reply-To: <20180308071856.12149-2-tiwai@suse.de> (Takashi Iwai's message of "Thu, 8 Mar 2018 08:18:55 +0100")
Takashi Iwai <tiwai@suse.de> writes:
> This is a fix for a (sort of) fallout in the recent commit
> d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for
> CVE-2018-1000004.
> As the pool resize deletes the existing cells, it may lead to a race
> when another thread is writing concurrently, eventually resulting a
> UAF.
>
> A simple workaround is not to allow the pool resizing when the pool is
> in use. It's an invalid behavior in anyway.
>
> Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
> Reported-by: 范龙飞 <long7573@126.com>
> Reported-by: Nicolai Stange <nstange@suse.de>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> sound/core/seq/seq_clientmgr.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
> index 04d4db44fae5..d41ce3ed62ca 100644
> --- a/sound/core/seq/seq_clientmgr.c
> +++ b/sound/core/seq/seq_clientmgr.c
> @@ -1838,6 +1838,9 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client,
> (! snd_seq_write_pool_allocated(client) ||
> info->output_pool != client->pool->size)) {
> if (snd_seq_write_pool_allocated(client)) {
Maybe I'm missing something, but doesn't this
> + /* is the pool in use? */
> + if (atomic_read(&client->pool->counter))
> + return -EBUSY;
> /* remove all existing cells */
> snd_seq_pool_mark_closing(client->pool);
render this
> snd_seq_queue_client_leave_cells(client->number);
useless (assuming the presence of [2/2] ("ALSA: seq: More protection for
concurrent write and ioctl races"))?
Thanks,
Nicolai
--
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
next prev parent reply other threads:[~2018-03-08 10:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 7:18 [PATCH 0/2] More hardening for ALSA sequencer write/ioctl races Takashi Iwai
2018-03-08 7:18 ` [PATCH 1/2] ALSA: seq: Don't allow resizing pool in use Takashi Iwai
2018-03-08 10:44 ` Nicolai Stange [this message]
2018-03-08 10:56 ` Takashi Iwai
2018-03-08 7:18 ` [PATCH 2/2] ALSA: seq: More protection for concurrent write and ioctl races Takashi Iwai
2018-03-08 10:38 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h8pqj17k.fsf@suse.de \
--to=nstange@suse.de \
--cc=alsa-devel@alsa-project.org \
--cc=long7573@126.com \
--cc=mbenes@suse.cz \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.