Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3008329ybi; Mon, 17 Jun 2019 14:34:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqy+Ef+GggcZ/BWqwwuENeFM4sgPTAiS2roFyZG3c2PGcp89GOKpdldxIsxrPD7QJWro4MSj X-Received: by 2002:a62:2cc2:: with SMTP id s185mr114192853pfs.106.1560807262823; Mon, 17 Jun 2019 14:34:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560807262; cv=none; d=google.com; s=arc-20160816; b=rwG9Isx4vIy7yXnV64I0pDinKimXbo6PYIsOA0JyUy3cjkmArsN8EdinGFcTygxtTo DEx/vLI8ub8SpJv2DFTU9vXl5fyrruIFdfDYEc3GQXPuE7oeY72qe8kKGP2v4JBh5udq 47qUbUBRda0CYruZk1SQ0GK3Lve9/R5TWLbvLUxvTacW8/D6trX0ppSwZP9x8hPCZE0j FsfXdrObJHIAPDLvzEkpLFRfJSuLvztRR3fUziS6INARx2xLywn0ZFHDrsUDh98Hld1c bSo2dKtiq6N2rGZSWtWOsZBS3mvwi6mlLP9oSRGlTlwdYuJw3qA5Ou0uYGcO0lgMIX5X d+bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0IKquNzBUiN10SZmzbQZ6YZC4KJ/SpnQohg4OJhERXI=; b=hPnwABGUIN0okWq4bdBpu+Gly364BzZ+YYP+KzC8Qv6q/tbXVu5V/TZBSd2DRSZFvz iyjb5jDC5OrS3OSo/RANNdWqFBxALcW32xdRinYTB2muCipTKC/04NlhjidSkbIcVgA6 x/GxJ/Gc5bwmdBs9nwcirzyESfZnZL9NJOyKqcs/CLG7jsCH93lLaBKcVjJceZnF64sh plC7LtW4R4hYK4IYTOpj9hKtHVaJK0eI/5/na0+onOIm7cnX7j3MQuY6dfWImWCm+/Ay 8ubwuWjqxDigHd8w8j7G1ddmtwi//sNv4n+FRdjL4UBf41q/o6SQzGaVTSbZzwlSjZks vOXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=px31JVjq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16si7880075plp.329.2019.06.17.14.34.07; Mon, 17 Jun 2019 14:34:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=px31JVjq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730299AbfFQV0x (ORCPT + 99 others); Mon, 17 Jun 2019 17:26:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:53552 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730279AbfFQV0v (ORCPT ); Mon, 17 Jun 2019 17:26:51 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5FBAA20673; Mon, 17 Jun 2019 21:26:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560806810; bh=gwdxi5AAuoYgp387IoGFEKVh/fyMbDmAvT1oM3iYpVg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=px31JVjqlYRBkNLL3Fv5O+gpg65f5TVg7pKTYQyY1b6sKaeSYAbgjafgPZz9WbF24 w5JqZ9xkZsBQLrPcxiP5ZxQ4oCLAu3foVUXTYIfzRiVZNFTP7UJm23Om4SRsCPQCvk 3CyRLvNtz06y+6ug835Zqtpk06YixvQIMpdyPApM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com, Takashi Iwai , Sasha Levin Subject: [PATCH 4.19 28/75] ALSA: seq: Protect in-kernel ioctl calls with mutex Date: Mon, 17 Jun 2019 23:09:39 +0200 Message-Id: <20190617210753.921547314@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190617210752.799453599@linuxfoundation.org> References: <20190617210752.799453599@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller. For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/core/seq/seq_clientmgr.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c index b55cb96d1fed..40ae8f67efde 100644 --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) { const struct ioctl_handler *handler; struct snd_seq_client *client; + int err; client = clientptr(clientid); if (client == NULL) return -ENXIO; for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { - if (handler->cmd == cmd) - return handler->func(client, arg); + if (handler->cmd == cmd) { + mutex_lock(&client->ioctl_mutex); + err = handler->func(client, arg); + mutex_unlock(&client->ioctl_mutex); + return err; + } } pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", -- 2.20.1