From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: butt3rflyh4ck <butterflyhuangxx@gmail.com>,
security@kernel.org, syzkaller <syzkaller@googlegroups.com>,
tiwai@suse.com, alsa-devel@alsa-project.org,
linux-kernel@vger.kernel.org
Subject: Re: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
Date: Thu, 7 May 2020 13:07:34 +0200 [thread overview]
Message-ID: <20200507110734.GA1490467@kroah.com> (raw)
In-Reply-To: <s5hsggc3v4p.wl-tiwai@suse.de>
On Thu, May 07, 2020 at 12:19:18PM +0200, Takashi Iwai wrote:
> On Thu, 07 May 2020 12:13:10 +0200,
> Greg Kroah-Hartman wrote:
> >
> > On Thu, May 07, 2020 at 11:56:22AM +0200, Takashi Iwai wrote:
> > > On Thu, 07 May 2020 10:23:02 +0200,
> > > Greg Kroah-Hartman wrote:
> > > >
> > > > On Thu, May 07, 2020 at 04:04:25PM +0800, butt3rflyh4ck wrote:
> > > > > I report a bug (in linux-5.7-rc1) found by syzkaller.
> > > > >
> > > > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.7.0-rc1.config
> > > > > reproducer: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/repro.cprog
> > > > >
> > > > > I test the reproducer in linux-5.7-rc4 and crash too.
> > > >
> > > > Great, care to create a fix for this and send it to the proper
> > > > maintainers? That's the best way to get it fixed, otherwise it just
> > > > goes in the file with the rest of the syzbot reports we are burried
> > > > under.
> > >
> > > Don't worry, I already prepared a fix patch below :)
> > >
> > >
> > > thanks,
> > >
> > > Takashi
> > >
> > > -- 8< --
> > > From: Takashi Iwai <tiwai@suse.de>
> > > Subject: [PATCH] ALSA: rawmidi: Fix racy buffer resize under concurrent
> > > accesses
> > >
> > > The rawmidi core allows user to resize the runtime buffer via ioctl,
> > > and this may lead to UAF when performed during concurrent reads or
> > > writes.
> > >
> > > This patch fixes the race by introducing a reference counter for the
> > > runtime buffer access and returns -EBUSY error when the resize is
> > > performed concurrently.
> > >
> > > Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
> > > Cc: <stable@vger.kernel.org>
> > > Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
> > > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > > ---
> > > include/sound/rawmidi.h | 1 +
> > > sound/core/rawmidi.c | 29 ++++++++++++++++++++++++++++-
> > > 2 files changed, 29 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
> > > index a36b7227a15a..334842daa904 100644
> > > --- a/include/sound/rawmidi.h
> > > +++ b/include/sound/rawmidi.h
> > > @@ -61,6 +61,7 @@ struct snd_rawmidi_runtime {
> > > size_t avail_min; /* min avail for wakeup */
> > > size_t avail; /* max used buffer for wakeup */
> > > size_t xruns; /* over/underruns counter */
> > > + int buffer_ref; /* buffer reference count */
> > > /* misc */
> > > spinlock_t lock;
> > > wait_queue_head_t sleep;
> > > diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
> > > index 20dd08e1f675..4185d9e81e3c 100644
> > > --- a/sound/core/rawmidi.c
> > > +++ b/sound/core/rawmidi.c
> > > @@ -120,6 +120,17 @@ static void snd_rawmidi_input_event_work(struct work_struct *work)
> > > runtime->event(runtime->substream);
> > > }
> > >
> > > +/* buffer refcount management: call with runtime->lock held */
> > > +static inline void snd_rawmidi_buffer_ref(struct snd_rawmidi_runtime *runtime)
> > > +{
> > > + runtime->buffer_ref++;
> > > +}
> > > +
> > > +static inline void snd_rawmidi_buffer_unref(struct snd_rawmidi_runtime *runtime)
> > > +{
> > > + runtime->buffer_ref--;
> > > +}
> >
> > Why not use the reference count structure?
>
> The context accessing the buffer is always with the spinlock, so we
> don't need expensive atomic ops there.
>
> Usually this kind of check can be a simple boolean flag, but in this
> case, there is one place that goes out of lock due to
> copy_from/to_user, so a refcount is used in this patch instead.
Ah, ok, thanks for the explanation.
greg k-h
next prev parent reply other threads:[~2020-05-07 11:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-07 8:04 KASAN: use-after-free Write in snd_rawmidi_kernel_write1 butt3rflyh4ck
2020-05-07 8:23 ` Greg Kroah-Hartman
2020-05-07 9:56 ` Takashi Iwai
2020-05-07 10:13 ` Greg Kroah-Hartman
2020-05-07 10:19 ` Takashi Iwai
2020-05-07 11:07 ` Greg Kroah-Hartman [this message]
2020-05-07 10:27 ` Amadeusz Sławiński
2020-05-07 10:36 ` Takashi Iwai
2020-05-07 10:42 ` Takashi Iwai
2020-05-07 11:44 ` Takashi Iwai
[not found] <CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com>
2020-05-07 8:23 ` Greg Kroah-Hartman
2020-05-07 9:50 ` Takashi Iwai
2020-05-07 10:01 ` butt3rflyh4ck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200507110734.GA1490467@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=alsa-devel@alsa-project.org \
--cc=butterflyhuangxx@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox