From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lars-Peter Clausen <lars@metafoo.de>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.de>,
Willy Tarreau <w@1wt.eu>
Subject: [ 12/48] ALSA: control: Protect user controls against
Date: Sun, 16 Nov 2014 22:53:40 +0100 [thread overview]
Message-ID: <20141116215329.144515244@1wt.eu> (raw)
In-Reply-To: <28c765bc23bd4bae1611534e510f49f8@local>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
concurrent access
From: Lars-Peter Clausen <lars@metafoo.de>
[ Upstream commit 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 ]
The user-control put and get handlers as well as the tlv do not protect against
concurrent access from multiple threads. Since the state of the control is not
updated atomically it is possible that either two write operations or a write
and a read operation race against each other. Both can lead to arbitrary memory
disclosure. This patch introduces a new lock that protects user-controls from
concurrent access. Since applications typically access controls sequentially
than in parallel a single lock per card should be fine.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[wt: fixes CVE-2014-4652]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
include/sound/core.h | 2 ++
sound/core/control.c | 31 +++++++++++++++++++++++++------
sound/core/init.c | 1 +
3 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/include/sound/core.h b/include/sound/core.h
index a61499c..3ad641c 100644
--- a/include/sound/core.h
+++ b/include/sound/core.h
@@ -120,6 +120,8 @@ struct snd_card {
int user_ctl_count; /* count of all user controls */
struct list_head controls; /* all controls for this card */
struct list_head ctl_files; /* active control files */
+ struct mutex user_ctl_lock; /* protects user controls against
+ concurrent access */
struct snd_info_entry *proc_root; /* root for soundcard specific files */
struct snd_info_entry *proc_id; /* the card id */
diff --git a/sound/core/control.c b/sound/core/control.c
index d7f4644..8bf3a6d 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -880,6 +880,7 @@ static int snd_ctl_elem_unlock(struct snd_ctl_file *file,
struct user_element {
struct snd_ctl_elem_info info;
+ struct snd_card *card;
void *elem_data; /* element data */
unsigned long elem_data_size; /* size of element data in bytes */
void *tlv_data; /* TLV data */
@@ -902,7 +903,9 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol,
{
struct user_element *ue = kcontrol->private_data;
+ mutex_lock(&ue->card->user_ctl_lock);
memcpy(&ucontrol->value, ue->elem_data, ue->elem_data_size);
+ mutex_unlock(&ue->card->user_ctl_lock);
return 0;
}
@@ -911,10 +914,12 @@ static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol,
{
int change;
struct user_element *ue = kcontrol->private_data;
-
+
+ mutex_lock(&ue->card->user_ctl_lock);
change = memcmp(&ucontrol->value, ue->elem_data, ue->elem_data_size) != 0;
if (change)
memcpy(ue->elem_data, &ucontrol->value, ue->elem_data_size);
+ mutex_unlock(&ue->card->user_ctl_lock);
return change;
}
@@ -934,19 +939,32 @@ static int snd_ctl_elem_user_tlv(struct snd_kcontrol *kcontrol,
new_data = memdup_user(tlv, size);
if (IS_ERR(new_data))
return PTR_ERR(new_data);
+ mutex_lock(&ue->card->user_ctl_lock);
change = ue->tlv_data_size != size;
if (!change)
change = memcmp(ue->tlv_data, new_data, size);
kfree(ue->tlv_data);
ue->tlv_data = new_data;
ue->tlv_data_size = size;
+ mutex_unlock(&ue->card->user_ctl_lock);
} else {
- if (! ue->tlv_data_size || ! ue->tlv_data)
- return -ENXIO;
- if (size < ue->tlv_data_size)
- return -ENOSPC;
+ int ret = 0;
+
+ mutex_lock(&ue->card->user_ctl_lock);
+ if (!ue->tlv_data_size || !ue->tlv_data) {
+ ret = -ENXIO;
+ goto err_unlock;
+ }
+ if (size < ue->tlv_data_size) {
+ ret = -ENOSPC;
+ goto err_unlock;
+ }
if (copy_to_user(tlv, ue->tlv_data, ue->tlv_data_size))
- return -EFAULT;
+ ret = -EFAULT;
+err_unlock:
+ mutex_unlock(&ue->card->user_ctl_lock);
+ if (ret)
+ return ret;
}
return change;
}
@@ -1035,6 +1053,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
ue = kzalloc(sizeof(struct user_element) + private_size, GFP_KERNEL);
if (ue == NULL)
return -ENOMEM;
+ ue->card = card;
ue->info = *info;
ue->info.access = 0;
ue->elem_data = (char *)ue + sizeof(*ue);
diff --git a/sound/core/init.c b/sound/core/init.c
index 82f350e..fd8590f 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -206,6 +206,7 @@ int snd_card_create(int idx, const char *xid,
INIT_LIST_HEAD(&card->devices);
init_rwsem(&card->controls_rwsem);
rwlock_init(&card->ctl_files_rwlock);
+ mutex_init(&card->user_ctl_lock);
INIT_LIST_HEAD(&card->controls);
INIT_LIST_HEAD(&card->ctl_files);
spin_lock_init(&card->files_lock);
--
1.7.12.2.21.g234cd45.dirty
next prev parent reply other threads:[~2014-11-16 22:00 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <28c765bc23bd4bae1611534e510f49f8@local>
2014-11-16 21:53 ` [ 00/48] 2.6.32.64-longterm review Willy Tarreau
2014-11-16 21:53 ` [ 01/48] x86_32, entry: Do syscall exit work on badsys Willy Tarreau
2014-11-16 21:53 ` [ 02/48] x86_32, entry: Store badsys error code in %eax Willy Tarreau
2014-11-16 21:53 ` [ 03/48] x86_32, entry: Clean up sysenter_badsys declaration Willy Tarreau
2014-11-16 21:53 ` [ 04/48] MIPS: Cleanup flags in syscall flags handlers Willy Tarreau
2014-11-16 21:53 ` [ 05/48] MIPS: asm: thread_info: Add _TIF_SECCOMP flag Willy Tarreau
2014-11-16 21:53 ` [ 06/48] fix autofs/afs/etc. magic mountpoint breakage Willy Tarreau
2014-11-16 21:53 ` [ 07/48] ALSA: control: Make sure that id->index does not Willy Tarreau
2014-11-16 21:53 ` [ 08/48] ALSA: control: Handle numid overflow Willy Tarreau
2014-11-16 21:53 ` [ 09/48] sctp: Fix sk_ack_backlog wrap-around problem Willy Tarreau
2014-11-16 21:53 ` [ 10/48] mm: try_to_unmap_cluster() should lock_page() before Willy Tarreau
2014-11-16 21:53 ` [ 11/48] filter: prevent nla extensions to peek beyond the end Willy Tarreau
2014-11-16 21:53 ` Willy Tarreau [this message]
2014-11-16 21:53 ` [ 13/48] ptrace,x86: force IRET path after a ptrace_stop() Willy Tarreau
2014-11-16 21:53 ` [ 14/48] sym53c8xx_2: Set DID_REQUEUE return code when aborting Willy Tarreau
2014-11-16 21:53 ` [ 15/48] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at Willy Tarreau
2014-11-16 21:53 ` [ 16/48] igmp: fix the problem when mc leave group Willy Tarreau
2014-11-16 21:53 ` [ 17/48] appletalk: Fix socket referencing in skb Willy Tarreau
2014-11-16 21:53 ` [ 18/48] net: sctp: fix information leaks in ulpevent layer Willy Tarreau
2014-11-16 21:53 ` [ 19/48] sunvnet: clean up objects created in vnet_new() on Willy Tarreau
2014-11-16 21:53 ` [ 20/48] ipv4: fix buffer overflow in ip_options_compile() Willy Tarreau
2014-11-16 21:53 ` [ 21/48] net: sctp: inherit auth_capable on INIT collisions Willy Tarreau
2014-11-16 21:53 ` [ 22/48] net: sendmsg: fix NULL pointer dereference Willy Tarreau
2014-12-01 11:45 ` Luis Henriques
2014-12-01 12:30 ` Willy Tarreau
2014-11-16 21:53 ` [ 23/48] tcp: Fix integer-overflows in TCP veno Willy Tarreau
2014-11-16 21:53 ` [ 24/48] tcp: Fix integer-overflow in TCP vegas Willy Tarreau
2014-11-16 21:53 ` [ 25/48] macvlan: Initialize vlan_features to turn on offload Willy Tarreau
2014-11-16 21:53 ` [ 26/48] net: Correctly set segment mac_len in skb_segment() Willy Tarreau
2014-11-16 21:53 ` [ 27/48] iovec: make sure the caller actually wants anything in Willy Tarreau
2014-11-16 21:53 ` [ 28/48] sctp: fix possible seqlock seadlock in Willy Tarreau
2014-11-16 21:53 ` [ 29/48] Revert "nfsd: correctly handle return value from Willy Tarreau
2014-11-16 21:53 ` [ 30/48] dm crypt: fix access beyond the end of allocated space Willy Tarreau
2014-11-16 21:53 ` [ 31/48] gianfar: disable vlan tag insertion by default Willy Tarreau
2014-11-16 21:54 ` [ 32/48] USB: kobil_sct: fix non-atomic allocation in write Willy Tarreau
2014-11-16 21:54 ` [ 33/48] fix misuses of f_count() in ppp and netlink Willy Tarreau
2014-11-16 21:54 ` [ 34/48] net: sctp: fix skb_over_panic when receiving malformed Willy Tarreau
2014-11-16 21:54 ` [ 35/48] tty: Fix high cpu load if tty is unreleaseable Willy Tarreau
2014-11-16 21:54 ` [ 36/48] netfilter: nf_log: account for size of NLMSG_DONE Willy Tarreau
2014-11-16 21:54 ` [ 37/48] netfilter: nfnetlink_log: fix maximum packet length Willy Tarreau
2014-11-16 21:54 ` [ 38/48] ring-buffer: Always reset iterator to reader page Willy Tarreau
2014-11-16 21:54 ` [ 39/48] md/raid6: avoid data corruption during recovery of Willy Tarreau
2014-11-16 21:54 ` [ 40/48] net: pppoe: use correct channel MTU when using Willy Tarreau
2014-11-16 21:54 ` [ 41/48] ARM: 7668/1: fix memset-related crashes caused by Willy Tarreau
2014-11-16 21:54 ` [ 42/48] ARM: 7670/1: fix the memset fix Willy Tarreau
2014-11-16 21:54 ` [ 43/48] lib/lzo: Update LZO compression to current upstream Willy Tarreau
2014-11-16 21:54 ` [ 44/48] Documentation: lzo: document part of the encoding Willy Tarreau
2014-11-16 21:54 ` [ 45/48] lzo: check for length overrun in variable length Willy Tarreau
2014-11-16 21:54 ` [ 46/48] USB: add new zte 3g-dongles pid to option.c Willy Tarreau
2014-11-16 21:54 ` [ 47/48] futex: Unlock hb->lock in futex_wait_requeue_pi() Willy Tarreau
2014-11-16 21:54 ` [ 48/48] isofs: Fix unbounded recursion when processing Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141116215329.144515244@1wt.eu \
--to=w@1wt.eu \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox