Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp603373ybj;
        Thu, 7 May 2020 03:21:11 -0700 (PDT)
X-Google-Smtp-Source: APiQypLl9PrcXMQvuXE4p0zUpDRJLRE35VGHoTGdVlsIwQQ2vGAV0/giQ8+DYdhea5JqZkbA8R6y
X-Received: by 2002:a17:906:31d7:: with SMTP id f23mr11679689ejf.59.1588846870942;
        Thu, 07 May 2020 03:21:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588846870; cv=none;
        d=google.com; s=arc-20160816;
        b=JUTJUDhd7AP3FCjEU1sOPxws/Mnz6+e5PkeaN5V5f0+o+lpvYZMEgQs7YYa0dxfWry
         pNEUHol0/oJDPNu6TYhka3nvcSJuCUkO3rYbrl3fEFC6dEVriEJaUY30RJsYa/00H82x
         6PDLHD8MYOLvrLQ+bR5Sv3pU5Gv9/ELrg4a0w/cYHUvIFlskt5tfnYtJk3mMqCYLZIvR
         YUQNxM4oX5Nm1F29rY/+NDav0AVdzd7bIZhosJbKQgkWpBscJcNZI5BXw5caGKrbDs0f
         RZFFm6PM8BXMsfguIrua7c/GXUQfVaNvPHtePHWd6d3vLSxDTOZr7OkpMPMzpFMcDOOp
         qQ4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:subject:cc:to:from:message-id:date;
        bh=OR05zSoDSBgQI9yDvC3p8xL9Hi3b5QZ5BcNRg7qc1l0=;
        b=GuOi/1egTKyI7URrDlhauME4VwbEIz0Cq1zNYYiHZRnV6yP6CTUcmw5BX6dXJbSzCp
         Q7BErTY7ehE39oKVJxj8ZYuCKR9/e0iprVNaYMuJVnCZ++jDREEMYI+kNw3e1sIFdafU
         KJJ20ejtYEymxAhO1qW+QT2rvejGkxfJCibHrQ7A9t8Wix8l/B6ziHx9gT7Xt3Hd9J2J
         tmlMyAX5xlbHrbvBKfW1+gkhnqqrdrcQ59yWQmkpWZYJo9V92/WZCnuTqHfFbo7Dqbd5
         hJ6dll13sVc0Qr+TwfnbQmgiHCQbLW4JcKfRz47a1gEdh7Umevuxew71UDaTossFqIrD
         IYGA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bi13si2851272edb.449.2020.05.07.03.20.47;
        Thu, 07 May 2020 03:21:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725903AbgEGKTX (ORCPT <rfc822;linuxbirdgao@gmail.com>
        + 99 others); Thu, 7 May 2020 06:19:23 -0400
Received: from mx2.suse.de ([195.135.220.15]:47652 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725809AbgEGKTV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 May 2020 06:19:21 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id CDAE8AF99;
        Thu,  7 May 2020 10:19:21 +0000 (UTC)
Date:   Thu, 07 May 2020 12:19:18 +0200
Message-ID: <s5hsggc3v4p.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     butt3rflyh4ck <butterflyhuangxx@gmail.com>, security@kernel.org,
        syzkaller <syzkaller@googlegroups.com>, tiwai@suse.com,
        alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org
Subject: Re: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
In-Reply-To: <20200507101310.GA1311017@kroah.com>
References: <CAFcO6XMGT42wFBxEa01Ee5Msuecm+WiXnn4rc-VWkC4vTzycPg@mail.gmail.com>
        <20200507082302.GF1024567@kroah.com>
        <s5h8si45ard.wl-tiwai@suse.de>
        <20200507101310.GA1311017@kroah.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 07 May 2020 12:13:10 +0200,
Greg Kroah-Hartman wrote:
> 
> On Thu, May 07, 2020 at 11:56:22AM +0200, Takashi Iwai wrote:
> > On Thu, 07 May 2020 10:23:02 +0200,
> > Greg Kroah-Hartman wrote:
> > > 
> > > On Thu, May 07, 2020 at 04:04:25PM +0800, butt3rflyh4ck wrote:
> > > > I report a bug (in linux-5.7-rc1) found by syzkaller.
> > > > 
> > > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.7.0-rc1.config
> > > > reproducer: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/repro.cprog
> > > > 
> > > > I test the reproducer in linux-5.7-rc4 and crash too.
> > > 
> > > Great, care to create a fix for this and send it to the proper
> > > maintainers?  That's the best way to get it fixed, otherwise it just
> > > goes in the file with the rest of the syzbot reports we are burried
> > > under.
> > 
> > Don't worry, I already prepared a fix patch below :)
> > 
> > 
> > thanks,
> > 
> > Takashi
> > 
> > -- 8< --
> > From: Takashi Iwai <tiwai@suse.de>
> > Subject: [PATCH] ALSA: rawmidi: Fix racy buffer resize under concurrent
> >  accesses
> > 
> > The rawmidi core allows user to resize the runtime buffer via ioctl,
> > and this may lead to UAF when performed during concurrent reads or
> > writes.
> > 
> > This patch fixes the race by introducing a reference counter for the
> > runtime buffer access and returns -EBUSY error when the resize is
> > performed concurrently.
> > 
> > Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
> > Cc: <stable@vger.kernel.org>
> > Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> >  include/sound/rawmidi.h |  1 +
> >  sound/core/rawmidi.c    | 29 ++++++++++++++++++++++++++++-
> >  2 files changed, 29 insertions(+), 1 deletion(-)
> > 
> > diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
> > index a36b7227a15a..334842daa904 100644
> > --- a/include/sound/rawmidi.h
> > +++ b/include/sound/rawmidi.h
> > @@ -61,6 +61,7 @@ struct snd_rawmidi_runtime {
> >  	size_t avail_min;	/* min avail for wakeup */
> >  	size_t avail;		/* max used buffer for wakeup */
> >  	size_t xruns;		/* over/underruns counter */
> > +	int buffer_ref;		/* buffer reference count */
> >  	/* misc */
> >  	spinlock_t lock;
> >  	wait_queue_head_t sleep;
> > diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
> > index 20dd08e1f675..4185d9e81e3c 100644
> > --- a/sound/core/rawmidi.c
> > +++ b/sound/core/rawmidi.c
> > @@ -120,6 +120,17 @@ static void snd_rawmidi_input_event_work(struct work_struct *work)
> >  		runtime->event(runtime->substream);
> >  }
> >  
> > +/* buffer refcount management: call with runtime->lock held */
> > +static inline void snd_rawmidi_buffer_ref(struct snd_rawmidi_runtime *runtime)
> > +{
> > +	runtime->buffer_ref++;
> > +}
> > +
> > +static inline void snd_rawmidi_buffer_unref(struct snd_rawmidi_runtime *runtime)
> > +{
> > +	runtime->buffer_ref--;
> > +}
> 
> Why not use the reference count structure?

The context accessing the buffer is always with the spinlock, so we
don't need expensive atomic ops there.

Usually this kind of check can be a simple boolean flag, but in this
case, there is one place that goes out of lock due to
copy_from/to_user, so a refcount is used in this patch instead.


thanks,

Takashi