Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4011494imm; Mon, 14 May 2018 00:57:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZofuEOBik6lKrQauRHFlLruFSAdRUAVilZMH96mRRQy8NlK/CLU/cQatcTRsFTFdJzp6PbP X-Received: by 2002:a17:902:b189:: with SMTP id s9-v6mr8834009plr.352.1526284671825; Mon, 14 May 2018 00:57:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526284671; cv=none; d=google.com; s=arc-20160816; b=GRa23OODKjbNgb3lqlHLLB9gFQC1T7Jkb77J1xDihmRmfFN2kgvw51VSRHFC60ABKb SlWvjjikXDEg+7wnbgyMl69Lw5gfXD0QBk4CAc9/4e3/ml9FPyHULpzT4Zm5UKkaWFix LYFdluIjsE0P3+EaqDYGHMnOoBDGmiQYIzOuYNy2diXSy2WOZ2yyBKgFPLv5hbqrAd/x KhgxYFLf0pprAnyO9ZS8SCHy/fxleC/HqJu5NlElMKYZbGoZo3tbLsJr5r5KuzovvXgc BgOHkVezhdauEv0QXUbyRGygrljMGa/hRMOQZHxW0h7unNLH4Bl3/gHhYmoanNhZn0j2 P6Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=xtWtOhR0eUDV43i04v7MfcgfR0TkyI7MZVWaablVXoY=; b=bvOhLvilEBjphnOF2P4ytWwPOOeUZPLLl1ukptOdGe00Pfp0mMa5Y+S2cayHXf81ec xwWo6uOb0Cyx+Q5xSYGwLU+4cGHKFJba+DxRNSiE6ieluIZb2lcHxsQRMeGZJq0l+JpA pobmkpYadgwNjmEUwQ9UHMtEbnAXqsNmYZQtUdXufj2h/b37iTAD7VXsRyb2li0UMVuv NR3ZATgorqQ3bxPv2yD+MPYSig1JJiVvu4DbxKtU5Fuqh1GV2yO+6a5qdm4yU0vn32u2 7KoUfsTII08Abi8d703Mdz92xcQ+28O0ptaE2S4CYdDiuGm+dGaaHFzH3LA1JWZJlDpQ XFOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sNdrfFKo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o78-v6si9078127pfa.54.2018.05.14.00.57.37; Mon, 14 May 2018 00:57:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sNdrfFKo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752172AbeENGuO (ORCPT + 99 others); Mon, 14 May 2018 02:50:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:56924 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752138AbeENGuM (ORCPT ); Mon, 14 May 2018 02:50:12 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 472EB21723; Mon, 14 May 2018 06:50:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526280611; bh=iRdy6+ehFuNy5El/TJHyvm74cmiuy+Q+7wshjmUpe90=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sNdrfFKo/hT446bD/O+t2Xr8HNfyoKH2NFY7W6r/vefufip1bYZ5+PrmdHDA+fdqV Phf1m6vmpHqUFgh8Iv+3Q+I+9W38mZ2BRgCh0avQmfSGFjY2OUP2z2QkT8sIDokGBS dq+66O2Fzr5cgEA+6HrK24a5hFCP7rIq8anq0IU8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, DaeRyong Jeong , Takashi Iwai Subject: [PATCH 3.18 07/23] ALSA: aloop: Add missing cable lock to ctl API callbacks Date: Mon, 14 May 2018 08:48:36 +0200 Message-Id: <20180514064704.364237172@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514064704.046463679@linuxfoundation.org> References: <20180514064704.046463679@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream. Some control API callbacks in aloop driver are too lazy to take the loopback->cable_lock and it results in possible races of cable access while it's being freed. It eventually lead to a UAF, as reported by fuzzer recently. This patch covers such control API callbacks and add the proper mutex locks. Reported-by: DaeRyong Jeong Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/drivers/aloop.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -833,9 +833,11 @@ static int loopback_rate_shift_get(struc { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].rate_shift; + mutex_unlock(&loopback->cable_lock); return 0; } @@ -867,9 +869,11 @@ static int loopback_notify_get(struct sn { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].notify; + mutex_unlock(&loopback->cable_lock); return 0; } @@ -881,12 +885,14 @@ static int loopback_notify_put(struct sn int change = 0; val = ucontrol->value.integer.value[0] ? 1 : 0; + mutex_lock(&loopback->cable_lock); if (val != loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].notify) { loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].notify = val; change = 1; } + mutex_unlock(&loopback->cable_lock); return change; } @@ -894,15 +900,18 @@ static int loopback_active_get(struct sn struct snd_ctl_elem_value *ucontrol) { struct loopback *loopback = snd_kcontrol_chip(kcontrol); - struct loopback_cable *cable = loopback->cables - [kcontrol->id.subdevice][kcontrol->id.device ^ 1]; + struct loopback_cable *cable; + unsigned int val = 0; + mutex_lock(&loopback->cable_lock); + cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1]; if (cable != NULL) { unsigned int running = cable->running ^ cable->pause; val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0; } + mutex_unlock(&loopback->cable_lock); ucontrol->value.integer.value[0] = val; return 0; } @@ -945,9 +954,11 @@ static int loopback_rate_get(struct snd_ { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].rate; + mutex_unlock(&loopback->cable_lock); return 0; } @@ -967,9 +978,11 @@ static int loopback_channels_get(struct { struct loopback *loopback = snd_kcontrol_chip(kcontrol); + mutex_lock(&loopback->cable_lock); ucontrol->value.integer.value[0] = loopback->setup[kcontrol->id.subdevice] [kcontrol->id.device].channels; + mutex_unlock(&loopback->cable_lock); return 0; }