From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, 范龙飞 <long7573@126.com>,
"Takashi Iwai" <tiwai@suse.de>
Subject: [PATCH 4.4 26/33] ALSA: seq: Fix racy pool initializations
Date: Wed, 21 Feb 2018 13:45:09 +0100 [thread overview]
Message-ID: <20180221124410.970901445@linuxfoundation.org> (raw)
In-Reply-To: <20180221124409.564661689@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
ALSA sequencer core initializes the event pool on demand by invoking
snd_seq_pool_init() when the first write happens and the pool is
empty. Meanwhile user can reset the pool size manually via ioctl
concurrently, and this may lead to UAF or out-of-bound accesses since
the function tries to vmalloc / vfree the buffer.
A simple fix is to just wrap the snd_seq_pool_init() call with the
recently introduced client->ioctl_mutex; as the calls for
snd_seq_pool_init() from other side are always protected with this
mutex, we can avoid the race.
Reported-by: 范龙飞 <long7573@126.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1012,7 +1012,7 @@ static ssize_t snd_seq_write(struct file
{
struct snd_seq_client *client = file->private_data;
int written = 0, len;
- int err = -EINVAL;
+ int err;
struct snd_seq_event event;
if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
@@ -1027,11 +1027,15 @@ static ssize_t snd_seq_write(struct file
/* allocate the pool now if the pool is not allocated yet */
if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
- if (snd_seq_pool_init(client->pool) < 0)
+ mutex_lock(&client->ioctl_mutex);
+ err = snd_seq_pool_init(client->pool);
+ mutex_unlock(&client->ioctl_mutex);
+ if (err < 0)
return -ENOMEM;
}
/* only process whole events */
+ err = -EINVAL;
while (count >= sizeof(struct snd_seq_event)) {
/* Read in the event header from the user */
len = sizeof(event);
next prev parent reply other threads:[~2018-02-21 12:45 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-21 12:44 [PATCH 4.4 00/33] 4.4.117-stable review Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 01/33] IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 02/33] PM / devfreq: Propagate error from devfreq_add_device() Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 03/33] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 04/33] ARM: dts: STi: Add gpio polarity for "hdmi,hpd-gpio" property Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 05/33] arm: spear600: Add missing interrupt-parent of rtc Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 06/33] arm: spear13xx: Fix dmas cells Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 07/33] arm: spear13xx: Fix spics gpio controllers warning Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 08/33] ALSA: seq: Fix regression by incorrect ioctl_mutex usages Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 09/33] KVM/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 10/33] x86/cpu: Change type of x86_cache_size variable to unsigned int Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 11/33] drm/radeon: adjust tested variable Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 12/33] rtc-opal: Fix handling of firmware error codes, prevent busy loops Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 13/33] ext4: save error to disk in __ext4_grp_locked_error() Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 14/33] ext4: correct documentation for grpid mount option Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 15/33] mm: hide a #warning for COMPILE_TEST Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 16/33] video: fbdev: atmel_lcdfb: fix display-timings lookup Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 17/33] console/dummy: leave .con_font_get set to NULL Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 18/33] rtlwifi: rtl8821ae: Fix connection lost problem correctly Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 19/33] Btrfs: fix deadlock in run_delalloc_nocow Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 20/33] Btrfs: fix crash due to not cleaning up tree log blocks dirty bits Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 21/33] Btrfs: fix unexpected -EEXIST when creating new inode Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 22/33] ALSA: hda - Fix headset mic detection problem for two Dell machines Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 23/33] ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 24/33] ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 25/33] ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 Greg Kroah-Hartman
2018-02-21 12:45 ` Greg Kroah-Hartman [this message]
2018-02-21 12:45 ` [PATCH 4.4 27/33] mvpp2: fix multicast address filter Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 28/33] dm: correctly handle chained bios in dec_pending() Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 29/33] x86: fix build warnign with 32-bit PAE Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 30/33] vfs: dont do RCU lookup of empty pathnames Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 31/33] ARM: pxa/tosa-bt: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 32/33] ARM: dts: s5pv210: add interrupt-parent for ohci Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 33/33] media: r820t: fix r820t_write_reg for KASAN Greg Kroah-Hartman
2018-02-21 14:46 ` [PATCH 4.4 00/33] 4.4.117-stable review Nathan Chancellor
2018-02-21 15:30 ` Greg Kroah-Hartman
2018-02-21 17:58 ` Naresh Kamboju
2018-02-21 18:57 ` kernelci.org bot
2018-02-21 20:12 ` Shuah Khan
2018-02-22 14:11 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180221124410.970901445@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=long7573@126.com \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox