From patchwork Thu Aug 20 09:21:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 265709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EF3DC433E3 for ; Thu, 20 Aug 2020 10:18:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 05CB020658 for ; Thu, 20 Aug 2020 10:18:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597918729; bh=YKOLualWO9C4qYdvL7Xb+bTQPwiEtuBFqCinjF8SZNY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=FCsaOamcOuGO58OwYfQpj3sEokgPJz6lG/Z9tAn9Npc4FOjzRpUlj7cZqZhUnLRnY S+wmMtUm5rwzudZIsOpkQgdoAOjjZibqT2rq+MLCdVCi2dXJTJBRLJzVC9O4yaPMWa 12yOKCkgDEzndpTaYDBm8ZCCSNZ3+cZjHVlblrYI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731397AbgHTKSr (ORCPT ); Thu, 20 Aug 2020 06:18:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:40230 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731154AbgHTKSV (ORCPT ); Thu, 20 Aug 2020 06:18:21 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7B83020738; Thu, 20 Aug 2020 10:18:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597918701; bh=YKOLualWO9C4qYdvL7Xb+bTQPwiEtuBFqCinjF8SZNY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=G9NX+Q4tlYUjiMqHrOx7wD3E4roQlKmRVimUDi6Fm/SHhyHQjJurGmYCfzisHHTec fcBoB3+O8YW149q1AhbtzoGMqDbjB9eh5Dru1EGtW/CYNW3b4p8NTo6MCR+p0tpOPc djcbIcFMr3mXhwa1oBD55DrVssUf3ljCus5EUwOA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com, syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com, Hillf Danton , Takashi Iwai Subject: [PATCH 4.4 034/149] ALSA: seq: oss: Serialize ioctls Date: Thu, 20 Aug 2020 11:21:51 +0200 Message-Id: <20200820092127.381677453@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820092125.688850368@linuxfoundation.org> References: <20200820092125.688850368@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/core/seq/oss/seq_oss.c +++ b/sound/core/seq/oss/seq_oss.c @@ -180,10 +180,16 @@ static long odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct seq_oss_devinfo *dp; + long rc; + dp = file->private_data; if (snd_BUG_ON(!dp)) return -ENXIO; - return snd_seq_oss_ioctl(dp, cmd, arg); + + mutex_lock(®ister_mutex); + rc = snd_seq_oss_ioctl(dp, cmd, arg); + mutex_unlock(®ister_mutex); + return rc; } #ifdef CONFIG_COMPAT