From: John Keeping <john@metanate.com>
To: alsa-devel@alsa-project.org
Cc: John Keeping <john@metanate.com>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH] ALSA: rawmidi: Fix potential UAF from sequencer destruction
Date: Wed, 29 Sep 2021 12:36:20 +0100 [thread overview]
Message-ID: <20210929113620.2194847-1-john@metanate.com> (raw)
If the sequencer device outlives the rawmidi device, then
snd_rawmidi_dev_seq_free() will run after release_rawmidi_device() has
freed the snd_rawmidi structure.
This can easily be reproduced with CONFIG_DEBUG_KOBJECT_RELEASE.
Keep a reference to the rawmidi device until the sequencer has been
destroyed in order to avoid this.
Signed-off-by: John Keeping <john@metanate.com>
---
sound/core/rawmidi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 6f30231bdb88..b015f5f69175 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1860,6 +1860,7 @@ static void snd_rawmidi_dev_seq_free(struct snd_seq_device *device)
struct snd_rawmidi *rmidi = device->private_data;
rmidi->seq_dev = NULL;
+ put_device(&rmidi->dev);
}
#endif
@@ -1936,6 +1937,9 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
#if IS_ENABLED(CONFIG_SND_SEQUENCER)
if (!rmidi->ops || !rmidi->ops->dev_register) { /* own registration mechanism */
if (snd_seq_device_new(rmidi->card, rmidi->device, SNDRV_SEQ_DEV_ID_MIDISYNTH, 0, &rmidi->seq_dev) >= 0) {
+ /* Ensure we outlive the sequencer (see snd_rawmidi_dev_seq_free). */
+ get_device(&rmidi->dev);
+
rmidi->seq_dev->private_data = rmidi;
rmidi->seq_dev->private_free = snd_rawmidi_dev_seq_free;
sprintf(rmidi->seq_dev->name, "MIDI %d-%d", rmidi->card->number, rmidi->device);
--
2.33.0
WARNING: multiple messages have this Message-ID (diff)
From: John Keeping <john@metanate.com>
To: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org, John Keeping <john@metanate.com>,
Takashi Iwai <tiwai@suse.com>
Subject: [PATCH] ALSA: rawmidi: Fix potential UAF from sequencer destruction
Date: Wed, 29 Sep 2021 12:36:20 +0100 [thread overview]
Message-ID: <20210929113620.2194847-1-john@metanate.com> (raw)
If the sequencer device outlives the rawmidi device, then
snd_rawmidi_dev_seq_free() will run after release_rawmidi_device() has
freed the snd_rawmidi structure.
This can easily be reproduced with CONFIG_DEBUG_KOBJECT_RELEASE.
Keep a reference to the rawmidi device until the sequencer has been
destroyed in order to avoid this.
Signed-off-by: John Keeping <john@metanate.com>
---
sound/core/rawmidi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 6f30231bdb88..b015f5f69175 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1860,6 +1860,7 @@ static void snd_rawmidi_dev_seq_free(struct snd_seq_device *device)
struct snd_rawmidi *rmidi = device->private_data;
rmidi->seq_dev = NULL;
+ put_device(&rmidi->dev);
}
#endif
@@ -1936,6 +1937,9 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
#if IS_ENABLED(CONFIG_SND_SEQUENCER)
if (!rmidi->ops || !rmidi->ops->dev_register) { /* own registration mechanism */
if (snd_seq_device_new(rmidi->card, rmidi->device, SNDRV_SEQ_DEV_ID_MIDISYNTH, 0, &rmidi->seq_dev) >= 0) {
+ /* Ensure we outlive the sequencer (see snd_rawmidi_dev_seq_free). */
+ get_device(&rmidi->dev);
+
rmidi->seq_dev->private_data = rmidi;
rmidi->seq_dev->private_free = snd_rawmidi_dev_seq_free;
sprintf(rmidi->seq_dev->name, "MIDI %d-%d", rmidi->card->number, rmidi->device);
--
2.33.0
next reply other threads:[~2021-09-29 11:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 11:36 John Keeping [this message]
2021-09-29 11:36 ` [PATCH] ALSA: rawmidi: Fix potential UAF from sequencer destruction John Keeping
2021-09-29 14:51 ` Takashi Iwai
2021-09-29 14:51 ` Takashi Iwai
2021-09-29 15:17 ` John Keeping
2021-09-29 15:17 ` John Keeping
2021-09-29 15:28 ` Takashi Iwai
2021-09-29 15:28 ` Takashi Iwai
2021-09-29 16:56 ` John Keeping
2021-09-29 16:56 ` John Keeping
2021-09-30 6:31 ` Takashi Iwai
2021-09-30 6:31 ` Takashi Iwai
2021-09-30 6:55 ` Takashi Iwai
2021-09-30 6:55 ` Takashi Iwai
2021-09-30 10:27 ` John Keeping
2021-09-30 10:27 ` John Keeping
2021-09-30 11:40 ` Takashi Iwai
2021-09-30 11:40 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210929113620.2194847-1-john@metanate.com \
--to=john@metanate.com \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.