Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2493514imm; Wed, 16 May 2018 13:52:57 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqHSRF9AuY+z4qz/tcAJg8KEa6vG9uxwehtf8Ci7UyudztfrVFF1TpNyCtsh04QN921gkEN X-Received: by 2002:a17:902:462:: with SMTP id 89-v6mr2399381ple.300.1526503977065; Wed, 16 May 2018 13:52:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526503977; cv=none; d=google.com; s=arc-20160816; b=nIWECtFWxfhkpya7FHR5mJ5EKPCn2X6BJEleAJBv+vo0htGkW0S0CxRbSuwercRL4W dJZ1nLQe6Jz9Sxkdyqjhr/0BDv6xA5Dmt8GFVrDYyJJFEJe5sVCaFYZ3dbJJa+LdIJXJ j3P5HYmnqvmaktI13BtCX2C35v49YpQPQ2qXjFvqi/GZcZM84i0gW9vDg5y+S6b2brSk dbHwjLC99+CrvjHH05Gtjh88vXInyvc3u+wL4oPW1xwJhS8WWEXUxynm1YCaoeMsrrGe XlvQFDbtLOs7BoCT6xq15NN28umtvm2id5IBBY/A0WEQXXYEf1DlDHs5i2f+4OLPvRDJ cNUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:arc-authentication-results; bh=tzN6wLySpiVeoVnxOVpmj9FkyYgWEi8hw/29G00NfQg=; b=g9SVcWnYsoip39Pcu2Csup2xAy1yC7f3cGIm2EOMz+PxKc4s4Yo5yD68qAJxRoFngD PQfxEIayScjNWh6yYONUioTDYa+JF3lz1G/xxGIQZQhKbwc9SGZjYHeg/EYjWBXExF30 AG43zTh0hgQzrtmRQFtplKbVS5ms5HyJV2E+gHQtVNlE/xtk5KJP6fNCWbxTkaiQuwwv KIOe/EG471smZZfBP1u/soMybcNtpTS/XJJEeJrd1H2CCqcsJxGdop0sip/DfIctSibB wTrgv34PUWCu2y1YVrLxPjBIcIW8UOFa17DSlIu8Y75TRTATYzYXeAewXwtg4VcsI0FI OXSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s61-v6si3332858plb.271.2018.05.16.13.52.42; Wed, 16 May 2018 13:52:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752059AbeEPUvw (ORCPT + 99 others); Wed, 16 May 2018 16:51:52 -0400 Received: from imap1.codethink.co.uk ([176.9.8.82]:51429 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751370AbeEPUvv (ORCPT ); Wed, 16 May 2018 16:51:51 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126] helo=xylophone) by imap1.codethink.co.uk with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1fJ3Om-0005kf-RE; Wed, 16 May 2018 21:51:49 +0100 Message-ID: <1526503907.9159.150.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 53/97] ALSA: pcm: Fix UAF at PCM release via PCM timer access From: Ben Hutchings To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com, Takashi Iwai Date: Wed, 16 May 2018 21:51:47 +0100 In-Reply-To: <20180422135308.244077643@linuxfoundation.org> References: <20180422135304.577223025@linuxfoundation.org> <20180422135308.244077643@linuxfoundation.org> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2018-04-22 at 15:53 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch.  If anyone has any objections, please let me know. > > ------------------ > > From: Takashi Iwai > > commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream. > > The PCM runtime object is created and freed dynamically at PCM stream > open / close time.  This is tracked via substream->runtime, and it's > cleared at snd_pcm_detach_substream(). > > The runtime object assignment is protected by PCM open_mutex, so for > all PCM operations, it's safely handled.  However, each PCM substream > provides also an ALSA timer interface, and user-space can access to > this while closing a PCM substream.  This may eventually lead to a > UAF, as snd_pcm_timer_resolution() tries to access the runtime while > clearing it in other side. > > Fortunately, it's the only concurrent access from the PCM timer, and > it merely reads runtime->timer_resolution field.  So, we can avoid the > race by reordering kfree() and wrapping the substream->runtime > clearance with the corresponding timer lock. [...] This seems to depend on: commit f65e0d299807d8a11812845c972493c3f9a18e10 Author: Takashi Iwai Date:   Wed Feb 10 12:47:03 2016 +0100     ALSA: timer: Call notifier in the same spinlock (But I'm not totally convinced that snd_pcm_timer_resolution() is always called with the timer lock held, even after that.) Ben. -- Ben Hutchings Software Developer, Codethink Ltd.