Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4416931pxa; Mon, 10 Aug 2020 08:35:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQwITnUloX5X96610bimg7bws/yJMYIqkY/zwPv03xYJwVNXOwCIY19xU3SVlNMMJHoa10 X-Received: by 2002:a50:d74b:: with SMTP id i11mr7114907edj.136.1597073754737; Mon, 10 Aug 2020 08:35:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597073754; cv=none; d=google.com; s=arc-20160816; b=jsStXq6d8nOljhc0mYM71u7OQRydxFp4XfbnAJw6Gfl856j4jLOffvlZKI/A/nDV8S kIv/UPquSaQ+Ex7dmSna+J5gap7lptiG5pQJn3CceyY6QK5Nteh2pIvgezAYzFz/pR9t aTIpIP6A+K85DTTOSvKtj+10gUzDchINu2sphsZ6dRDHtq/gRsaWCnn6h8dVT+FEjur8 fxZQYu83XAVS0fwAQIyeh/TpuqF64anxTW5DJv+pkgwP57Gv19JDTgfkMKCjuo+ZKgQ8 qV/AMmedzWuIu9aqShMygbXxP6daZaxnkJgWGnoKaj7ZWERpZg2TtIo2T9NWRO7r4S0T cUBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2N7SPm3NhrRfc+so2IEySfz/IFPqPGRMZgGwvT9Xqzw=; b=chU8Uy8ABNKjUXoA5Z9UCvtV2p/I4m1AJnIQmYbQi1RyGFw9LpLmD++OC/bal0qe9D i8FaKgjif0tH9G3jTKl0gWPaNDJta+f2oPsLJGTf0olOqjHLdHq6YmcoefFeo5kLu42l bGiX9kuXcq+guAEjGienCctxRig7yVQnJxrIIrsHYRoX+iF3G1VmQ2S4A7HXtJ+ypCGN BUrReeZ3KSBFikq+Hse+j+wqhcPsuBmjtPJsnXwavqljDwS35lxsu6sMaCf6U8itzNnX gsic+rIeh+mYLQjw08A+vvsqmK62tweA0ZZBTTiuNT4g++pk/avEm0n1LKHZ9y47hp2U sbhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wwPP1m6q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r17si13010966eda.525.2020.08.10.08.35.30; Mon, 10 Aug 2020 08:35:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wwPP1m6q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728818AbgHJPaK (ORCPT + 99 others); Mon, 10 Aug 2020 11:30:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:36678 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729038AbgHJPaA (ORCPT ); Mon, 10 Aug 2020 11:30:00 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ACA6522D07; Mon, 10 Aug 2020 15:29:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073400; bh=JviOPlayrNp5TUqYGsqdv/rzayIkoShqBQoDfszUVDA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wwPP1m6qzEK2KLrnfWn+WM94jPKDnfPgKz5i/T/frwTh4wO6iq3FdGCOVttZ6s18t d3Fmt/ph0ABVndbLhrhgsigRqt4Pu+cxxFNX8hcmqjornxnnv2tcvFgnaVi80J+cH4 WQHKhASocZlo7H41iczZl4m9G4wg9uFclknJmywk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com, syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com, Hillf Danton , Takashi Iwai Subject: [PATCH 4.19 06/48] ALSA: seq: oss: Serialize ioctls Date: Mon, 10 Aug 2020 17:21:28 +0200 Message-Id: <20200810151804.528955642@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151804.199494191@linuxfoundation.org> References: <20200810151804.199494191@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/core/seq/oss/seq_oss.c +++ b/sound/core/seq/oss/seq_oss.c @@ -181,10 +181,16 @@ static long odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct seq_oss_devinfo *dp; + long rc; + dp = file->private_data; if (snd_BUG_ON(!dp)) return -ENXIO; - return snd_seq_oss_ioctl(dp, cmd, arg); + + mutex_lock(®ister_mutex); + rc = snd_seq_oss_ioctl(dp, cmd, arg); + mutex_unlock(®ister_mutex); + return rc; } #ifdef CONFIG_COMPAT