Received: by 10.192.165.148 with SMTP id m20csp2480961imm; Sun, 22 Apr 2018 07:57:25 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+5fOCntUHYqG8Rnd2v4mfUXJjWnQuQVeF5LRI/vzCHXiTNrYC+Ee++n5fwy8G9TYsTVZer X-Received: by 2002:a17:902:bc8b:: with SMTP id bb11-v6mr14078853plb.285.1524409045335; Sun, 22 Apr 2018 07:57:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524409045; cv=none; d=google.com; s=arc-20160816; b=BjaJGXdg1KmIO8+Y1s7DZUMyLc0maNsZkPMR/1WZ4i9kYvJYmHTnOkH8Pont57sikd DeFsutihn/i4NppecPiICUC2Qe++ScJbXglPmX5igWvhkKUDZW7BG3WNoOEinT1yyn0z P3O/Ag2ZZBkviABQYFsfJ0B/LBwmud6WrGOLLWW5pFUClkU2YO3kuxoj6Bc2WnFxgdKf 3lIuOmtwHnzFuIk0nKCMQvaWxbKr3rT55OftmTPP5vlmQvyZe/Pu0ZKOIQpEoXfgcAFQ nJyl4/tV7l/TK5uiSa0LfnKN+aeO5dST+VUPzRO9MZFI6jUCNeXTyUtj2BRRh0YFLLPF +X/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=PrZBp6Vd+3dD9cORByVK/wi7KW7vUsEFaaksaji7g94=; b=FhhFlq3pPBGagh8Ko7sQCtMha/5cchZeyOSjIyHwYJm3+3RniA0OtflbnlDN9di3Dr TIdqIbPG63bJ+b63WlKYLWQ8rv+blGZibXxGIpQmRy5tS++98rJTrYfRPX7Zbb7pWK// 7xGle8+pXcPxRhAf8G+TbU+js8o8Ag3tDlHRDNsrhyAETa76w9SqewALPEiWFDw4yfTh rzigezczpzKeeHCOuEPPjuEasGn2PsZzdYNn3Moufx9dy1TN+uFH4BfFuVDm0HbKhQHN RPM4Z/qJjEqbgdtb+yKV4SoYOjJ66cfs/wPRvNsT939X7y3RPglILtATzJoeCp0UA4+S FEhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b62si3439934pgc.505.2018.04.22.07.57.11; Sun, 22 Apr 2018 07:57:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756919AbeDVOOD (ORCPT + 99 others); Sun, 22 Apr 2018 10:14:03 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56018 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756536AbeDVON6 (ORCPT ); Sun, 22 Apr 2018 10:13:58 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id B2563CE9; Sun, 22 Apr 2018 14:13:57 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.9 72/95] ALSA: rawmidi: Fix missing input substream checks in compat ioctls Date: Sun, 22 Apr 2018 15:53:41 +0200 Message-Id: <20180422135213.373161011@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180422135210.432103639@linuxfoundation.org> References: <20180422135210.432103639@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. Some rawmidi compat ioctls lack of the input substream checks (although they do check only for rfile->output). This many eventually lead to an Oops as NULL substream is passed to the rawmidi core functions. Fix it by adding the proper checks before each function call. The bug was spotted by syzkaller. Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/rawmidi_compat.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) --- a/sound/core/rawmidi_compat.c +++ b/sound/core/rawmidi_compat.c @@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp struct snd_rawmidi_params params; unsigned int val; - if (rfile->output == NULL) - return -EINVAL; if (get_user(params.stream, &src->stream) || get_user(params.buffer_size, &src->buffer_size) || get_user(params.avail_min, &src->avail_min) || @@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp params.no_active_sensing = val; switch (params.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; return snd_rawmidi_output_params(rfile->output, ¶ms); case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; return snd_rawmidi_input_params(rfile->input, ¶ms); } return -EINVAL; @@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp int err; struct snd_rawmidi_status status; - if (rfile->output == NULL) - return -EINVAL; if (get_user(status.stream, &src->stream)) return -EFAULT; switch (status.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; err = snd_rawmidi_output_status(rfile->output, &status); break; case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; err = snd_rawmidi_input_status(rfile->input, &status); break; default: @@ -112,16 +116,18 @@ static int snd_rawmidi_ioctl_status_x32( int err; struct snd_rawmidi_status status; - if (rfile->output == NULL) - return -EINVAL; if (get_user(status.stream, &src->stream)) return -EFAULT; switch (status.stream) { case SNDRV_RAWMIDI_STREAM_OUTPUT: + if (!rfile->output) + return -EINVAL; err = snd_rawmidi_output_status(rfile->output, &status); break; case SNDRV_RAWMIDI_STREAM_INPUT: + if (!rfile->input) + return -EINVAL; err = snd_rawmidi_input_status(rfile->input, &status); break; default: