From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.7 54/59] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
Date: Mon, 12 Sep 2016 17:30:14 +0200 [thread overview]
Message-ID: <20160912152131.042139742@linuxfoundation.org> (raw)
In-Reply-To: <20160912152128.765864031@linuxfoundation.org>
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 11749e086b2766cccf6217a527ef5c5604ba069c upstream.
I got this with syzkaller:
==================================================================
BUG: KASAN: null-ptr-deref on address 0000000000000020
Read of size 32 by task syz-executor/22519
CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
014
0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
Call Trace:
[<ffffffff81f9f141>] dump_stack+0x83/0xb2
[<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
[<ffffffff8161ff74>] kasan_report+0x34/0x40
[<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
[<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
[<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
[<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
[<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
[<ffffffff8127c278>] ? do_group_exit+0x108/0x330
[<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
[<ffffffff81674dfe>] __vfs_read+0x10e/0x550
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
[<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
[<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
[<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
[<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
[<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
[<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
[<ffffffff81675355>] vfs_read+0x115/0x330
[<ffffffff81676371>] SyS_read+0xd1/0x1a0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
[<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
[<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
==================================================================
There are a couple of problems that I can see:
- ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
would get a NULL pointer dereference like the above splat
- the same ioctl() can free tu->queue/to->tqueue which means read()
could potentially see (and dereference) the freed pointer
We can fix both by taking the ioctl_lock mutex when dereferencing
->queue/->tqueue, since that's always held over all the ioctl() code.
Just looking at the code I find it likely that there are more problems
here such as tu->qhead pointing outside the buffer if the size is
changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1958,6 +1958,7 @@ static ssize_t snd_timer_user_read(struc
tu->qused--;
spin_unlock_irq(&tu->qlock);
+ mutex_lock(&tu->ioctl_lock);
if (tu->tread) {
if (copy_to_user(buffer, &tu->tqueue[qhead],
sizeof(struct snd_timer_tread)))
@@ -1967,6 +1968,7 @@ static ssize_t snd_timer_user_read(struc
sizeof(struct snd_timer_read)))
err = -EFAULT;
}
+ mutex_unlock(&tu->ioctl_lock);
spin_lock_irq(&tu->qlock);
if (err < 0)
next prev parent reply other threads:[~2016-09-12 15:32 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160912153038uscas1p166159f601d12fb1e6621d90d3ef5d311@uscas1p1.samsung.com>
[not found] ` <20160912152128.765864031@linuxfoundation.org>
2016-09-12 15:29 ` [PATCH 4.7 01/59] Revert "floppy: refactor open() flags handling" Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 02/59] apparmor: fix refcount race when finding a child profile Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 03/59] kernel: Add noaudit variant of ns_capable() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 04/59] net: Use ns_capable_noaudit() when determining net sysctl permissions Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 05/59] fs: Check for invalid i_uid in may_follow_link() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 06/59] cred: Reject inodes with invalid ids in set_create_file_as() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 07/59] ext4: validate that metadata blocks do not overlap superblock Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 08/59] ext4: fix xattr shifting when expanding inodes Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 09/59] ext4: fix xattr shifting when expanding inodes part 2 Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 10/59] ext4: properly align shifted xattrs when expanding inodes Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 11/59] ext4: avoid deadlock when expanding inode size Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 13/59] block: Fix race triggered by blk_set_queue_dying() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 14/59] block: make sure a big bio is split into at most 256 bvecs Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 15/59] cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 16/59] cdc-acm: added sanity checking for probe() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 19/59] drm/atomic: Dont potentially reset color_mgmt_changed on successive property updates Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 20/59] drm: Reject page_flip for !DRIVER_MODESET Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 21/59] drm/msm: fix use of copy_from_user() while holding spinlock Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 22/59] drm/vc4: Use drm_free_large() on handles to match its allocation Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 23/59] drm/vc4: Fix overflow mem unreferencing when the binner runs dry Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 24/59] drm/vc4: Fix oops when userspace hands in a bad BO Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 25/59] ASoC: atmel_ssc_dai: Dont unconditionally reset SSC on stream startup Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 26/59] xfs: fix superblock inprogress check Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 27/59] timekeeping: Cap array access in timekeeping_debug Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 28/59] timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 30/59] ovl: proper cleanup of workdir Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 31/59] ovl: dont copy up opaqueness Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 32/59] ovl: remove posix_acl_default from workdir Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 33/59] ovl: listxattr: use strnlen() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 34/59] ovl: fix workdir creation Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 35/59] mei: me: disable driver on SPT SPS firmware Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 36/59] ubifs: Fix xattr generic handler usage Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 38/59] bdev: fix NULL pointer dereference Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 39/59] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 40/59] irqchip/mips-gic: Cleanup chip and handler setup Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 41/59] irqchip/mips-gic: Implement activate op for device domain Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 42/59] vhost/scsi: fix reuse of &vq->iov[out] in response Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 43/59] x86/apic: Do not init irq remapping if ioapic is disabled Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 44/59] xprtrdma: Create common scatterlist fields in rpcrdma_mw Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 46/59] fscrypto: add authorization check for setting encryption policy Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 47/59] fscrypto: only allow setting encryption policy on directories Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 48/59] ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 49/59] ALSA: firewire-tascam: accessing to user space outside spinlock Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 50/59] ALSA: fireworks: " Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 51/59] ALSA: rawmidi: Fix possible deadlock with virmidi registration Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 52/59] ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 53/59] ALSA: hda - Enable subwoofer on Dell Inspiron 7559 Greg Kroah-Hartman
2016-09-12 15:30 ` Greg Kroah-Hartman [this message]
2016-09-12 15:30 ` [PATCH 4.7 55/59] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 56/59] ALSA: timer: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 57/59] ALSA: timer: Fix zero-division by continue of uninitialized instance Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 58/59] scsi: fix upper bounds check of sense key in scsi_sense_key_string() Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 59/59] cpufreq: dt: Add terminate entry for of_device_id tables Greg Kroah-Hartman
2016-09-13 3:07 ` [PATCH 4.7 00/59] 4.7.4-stable review Guenter Roeck
2016-09-13 8:57 ` Greg Kroah-Hartman
[not found] ` <57d7cc1f.0d8d1c0a.df2d3.a693@mx.google.com>
2016-09-13 12:12 ` Greg Kroah-Hartman
2016-09-13 17:40 ` Kevin Hilman
2016-09-13 18:32 ` Shuah Khan
2016-09-15 6:19 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160912152131.042139742@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).