From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 149A6C31E45 for ; Thu, 13 Jun 2019 15:53:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EC36920851 for ; Thu, 13 Jun 2019 15:53:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390007AbfFMPxY (ORCPT ); Thu, 13 Jun 2019 11:53:24 -0400 Received: from mx2.suse.de ([195.135.220.15]:52620 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731616AbfFMJC4 (ORCPT ); Thu, 13 Jun 2019 05:02:56 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 7A77BAEC6; Thu, 13 Jun 2019 09:02:54 +0000 (UTC) Date: Thu, 13 Jun 2019 11:02:54 +0200 Message-ID: From: Takashi Iwai To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com, Takashi Iwai , Sasha Levin Subject: Re: [PATCH 4.14 61/81] ALSA: seq: Protect in-kernel ioctl calls with mutex In-Reply-To: <20190613075653.581995283@linuxfoundation.org> References: <20190613075649.074682929@linuxfoundation.org> <20190613075653.581995283@linuxfoundation.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 13 Jun 2019 10:33:44 +0200, Greg Kroah-Hartman wrote: > > [ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] > > ALSA OSS sequencer calls the ioctl function indirectly via > snd_seq_kernel_client_ctl(). While we already applied the protection > against races between the normal ioctls and writes via the client's > ioctl_mutex, this code path was left untouched. And this seems to be > the cause of still remaining some rare UAF as spontaneously triggered > by syzkaller. > > For the sake of robustness, wrap the ioctl_mutex also for the call via > snd_seq_kernel_client_ctl(), too. > > Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com > Signed-off-by: Takashi Iwai > Signed-off-by: Sasha Levin This commit is reverted later by commit f0654ba94e33. So please drop this. The proper fix is done later by commit 7c32ae35fbf9 ("ALSA: seq: Cover unsubscribe_port() in list_mutex") Ditto for 4.19.y and 5.1.y. thanks, Takashi > --- > sound/core/seq/seq_clientmgr.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c > index 3bcd7a2f0394..692631bd4a35 100644 > --- a/sound/core/seq/seq_clientmgr.c > +++ b/sound/core/seq/seq_clientmgr.c > @@ -2348,14 +2348,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) > { > const struct ioctl_handler *handler; > struct snd_seq_client *client; > + int err; > > client = clientptr(clientid); > if (client == NULL) > return -ENXIO; > > for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { > - if (handler->cmd == cmd) > - return handler->func(client, arg); > + if (handler->cmd == cmd) { > + mutex_lock(&client->ioctl_mutex); > + err = handler->func(client, arg); > + mutex_unlock(&client->ioctl_mutex); > + return err; > + } > } > > pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", > -- > 2.20.1 > > >