Received: by 10.192.165.148 with SMTP id m20csp2452726imm; Sun, 22 Apr 2018 07:21:14 -0700 (PDT) X-Google-Smtp-Source: AIpwx49VGsezybrOgv3iR4x+Zn5LYqjn8cIvZJ9aP6X//8T1xIYORlXsrH7970OJnXtzjb2H5i/r X-Received: by 2002:a17:902:7510:: with SMTP id i16-v6mr9422326pll.291.1524406874179; Sun, 22 Apr 2018 07:21:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524406874; cv=none; d=google.com; s=arc-20160816; b=jUIquON1ZExlgkvKOzVdy6AoyUiVrcbU6vxcTvTNp1ZWCXt8dG+crr0gHUQof+2Nf7 j13LlXdW5DMtdli5TDLOAgomy0j0FseO9P0tdxD/6D1x2jdxRxQA3cMtxrO9L+F2Hjbj SmPfjDKh4cRxskMOvkyn9iVoJhsE6lTv8BmfybYTbjYuR6Ts3aTbe5RC3uwu3ik/9nTL x5yvxhmqzatHEQVcK3cqsosCwEkiUiTa3dNjm7JBR3Us9I3RlVgOCkQZ+hdpofvkpafY BaUNonttAgFAUIntbTRXCHwHqLZoMbICmZ+MB7/w8aQH5X4IwHVinf12jPpK+w1dRWX3 Sa4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=F/Erq0hct8VRpN1N7AEoTk4JhyJRfav8dB58jvdX924=; b=jbvXGnnq0r3rbFgqXh0SUmU5ZgIo6/68x6lXCIXhR60l5Sd22D8yh6jsJBqDgIm0zl sBMK6kF3R701zzUwmjFsUXzROkUzfz+aQIcoM6rjvDQkrYjOrCpNiulx8a+Lvh99E1q+ Uni3KZGU9aus2UbpGCHAgIDRsyPfmUmzXesdYMuTSCg+qzQMXMko46MLDUfwTDYXs3zc 7ZytRLyIQh2DFwVEjhOzvXFPPSYzAxCXOtB2RhOUHxEmanRGZWI3yTkkTJNqUrCQFI4J 8scqfc1qaSO094JjnrP8hai+8cOnCq/KL1hhZu78NZkETnR/NhbWPtXWhLt5ecjX2pSy PT+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u9si9550917pfa.293.2018.04.22.07.21.00; Sun, 22 Apr 2018 07:21:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757329AbeDVOT4 (ORCPT + 99 others); Sun, 22 Apr 2018 10:19:56 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59976 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757264AbeDVOTv (ORCPT ); Sun, 22 Apr 2018 10:19:51 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 04CA1486; Sun, 22 Apr 2018 14:19:50 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.4 79/97] ALSA: rawmidi: Fix missing input substream checks in compat ioctls Date: Sun, 22 Apr 2018 15:53:57 +0200 Message-Id: <20180422135309.538959543@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135304.577223025@linuxfoundation.org> References: <20180422135304.577223025@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. Some rawmidi compat ioctls lack of the input substream checks (although they do check only for rfile->output). This many eventually lead to an Oops as NULL substream is passed to the rawmidi core functions. Fix it by adding the proper checks before each function call. The bug was spotted by syzkaller. Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/rawmidi_compat.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) --- a/sound/core/rawmidi_compat.c +++ b/sound/core/rawmidi_compat.c @@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp struct snd_rawmidi_params params; unsigned int val; - if (rfile->output == NULL) - return -EINVAL; if (get_user(params.stream, &src->stream) || get_user(params.buffer_size, &src->buffer_size) || get_user(params.avail_min, &src->avail_min) || @@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp params.no_active_sensing = val; switch (params.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; return snd_rawmidi_output_params(rfile->output, ¶ms); case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; return snd_rawmidi_input_params(rfile->input, ¶ms); } return -EINVAL; @@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp int err; struct snd_rawmidi_status status; - if (rfile->output == NULL) - return -EINVAL; if (get_user(status.stream, &src->stream)) return -EFAULT; switch (status.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; err = snd_rawmidi_output_status(rfile->output, &status); break; case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; err = snd_rawmidi_input_status(rfile->input, &status); break; default: @@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32( int err; struct snd_rawmidi_status status; - if (rfile->output == NULL) - return -EINVAL; if (get_user(status.stream, &src->stream)) return -EFAULT; switch (status.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; err = snd_rawmidi_output_status(rfile->output, &status); break; case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; err = snd_rawmidi_input_status(rfile->input, &status); break; default: