Received: by 10.192.165.148 with SMTP id m20csp2459081imm; Sun, 22 Apr 2018 07:28:58 -0700 (PDT) X-Google-Smtp-Source: AIpwx48fs0jmw9Bw7jgqhcmZqk4vqIBu+Ln4L45iWvGMlO25cGQeuRn0CnE/hOPxQcBMGyNQ77Cg X-Received: by 10.98.190.2 with SMTP id l2mr16790738pff.224.1524407338297; Sun, 22 Apr 2018 07:28:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524407338; cv=none; d=google.com; s=arc-20160816; b=LJ7fCm6JfQ6/iA2aUEmXkb5ZuCEk5DVvAIPZvBAPu8uQLDOEWowmfRMOAA7blLwUUB rxgKQmBd8bU4EVzPDCU4Q+M8vCsJZM6oXckYx+geo1HVLnMSYlM7RV7ophumRhBUjjdL WYnrp5KvIlzLPY6HPZ10vjc3Iw7LN9nGeTjUz+8SEfstPSPz5syTZ/Wwnd3FNGpSWU81 sZGaCSN8Gtnt7dVF0i/RR+VcsnaGPbCj57rCE65tHVZUmBdVXEOwLosK8hIsVfIZJeLf LdY/xNqBB/MtB2Mif6nPoHPKU45vZK9RU/lb0ppTgIBeGdZG78GLzCsVq9qAEZiMGoyF XBMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=VTNpfZFxHRo6BwAqFQycFgty9PIh4a6sgS9ByZxod+0=; b=BHa+S71kWC06ms/TGjphamDBYlISttXpxUGG9XyeGAX4WwkctgCeoo/cK+IKFOBExM lGfZcZ+G1vbJUWylsbtg7D4X85XTuTgcD8Dp6xA7SmPois2KrB5HYVcYK9mUNo2RacCC 7N31vjqfUf/gPNwQQGkw59CuhGzOXFH29NcOjklVqZjbs96nVhPQPrbBW8QVUlItt9BZ m5EZGOEa3H++AAyDzrN/7nffUH2CdeZbd8PZ42J+VIUuMJ7Nfpkfb0r0Oo1vzGy/JuF4 90qZxxpZmv3IX9uCbpMsUIJBu2e4NBgxhHOKBtv/X818U7SaPux8vS7HTVjQW0UFWoa6 ChEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i2si2998158pgo.289.2018.04.22.07.28.44; Sun, 22 Apr 2018 07:28:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932448AbeDVO07 (ORCPT + 99 others); Sun, 22 Apr 2018 10:26:59 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:32888 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757553AbeDVOV3 (ORCPT ); Sun, 22 Apr 2018 10:21:29 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 43C5798C; Sun, 22 Apr 2018 14:21:28 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 3.18 41/52] ALSA: rawmidi: Fix missing input substream checks in compat ioctls Date: Sun, 22 Apr 2018 15:54:14 +0200 Message-Id: <20180422135317.278063464@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135315.254787616@linuxfoundation.org> References: <20180422135315.254787616@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. Some rawmidi compat ioctls lack of the input substream checks (although they do check only for rfile->output). This many eventually lead to an Oops as NULL substream is passed to the rawmidi core functions. Fix it by adding the proper checks before each function call. The bug was spotted by syzkaller. Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/rawmidi_compat.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) --- a/sound/core/rawmidi_compat.c +++ b/sound/core/rawmidi_compat.c @@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp struct snd_rawmidi_params params; unsigned int val; - if (rfile->output == NULL) - return -EINVAL; if (get_user(params.stream, &src->stream) || get_user(params.buffer_size, &src->buffer_size) || get_user(params.avail_min, &src->avail_min) || @@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp params.no_active_sensing = val; switch (params.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; return snd_rawmidi_output_params(rfile->output, ¶ms); case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; return snd_rawmidi_input_params(rfile->input, ¶ms); } return -EINVAL; @@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp int err; struct snd_rawmidi_status status; - if (rfile->output == NULL) - return -EINVAL; if (get_user(status.stream, &src->stream)) return -EFAULT; switch (status.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; err = snd_rawmidi_output_status(rfile->output, &status); break; case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; err = snd_rawmidi_input_status(rfile->input, &status); break; default: @@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32( int err; struct snd_rawmidi_status status; - if (rfile->output == NULL) - return -EINVAL; if (get_user(status.stream, &src->stream)) return -EFAULT; switch (status.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; err = snd_rawmidi_output_status(rfile->output, &status); break; case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; err = snd_rawmidi_input_status(rfile->input, &status); break; default: