Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4419236pxa; Mon, 10 Aug 2020 08:38:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwu5OPA631I2Uljw3mjGpHIubm21frVJioJTPrbj3jmK4ATnrJLKbhmwBAMrZE4xVeijqGh X-Received: by 2002:aa7:d596:: with SMTP id r22mr21854426edq.204.1597073937555; Mon, 10 Aug 2020 08:38:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597073937; cv=none; d=google.com; s=arc-20160816; b=Gxkw8uVhomHVDbiUpXIA3lZoKWFNUGZVRu6o55Bw4p0XJvlDOaH13ZW93eREHvP+kd N1JjA2xCkP7CCLUShuSvRHC7iMwq9+sCwH1vD25pnhm2j7we+ZWG2ICcMJ1aHCHe5ngd nFOYO7RmnIga3yr7uEQPwZ2YbTESoX8PMG3boyMkfnsrbRjhy4SZq56VLEH2FvpsMSWY fgI4Hk8JvIoBhZYHEEVKUtt9YD9lNGU99e5lN90sk+X6DjVWauYPgi0a6RJmwHHewviC 92Kxlm2IhtvA/K2iKK3E9uWMD3IgO9ud82/0FjCDocsKtF4+OZw6zLdQPB3qoOr2ZWiJ D/XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NCGrkBMEU8/mTPocG0qD+G/yL9c2vXiacNOg98efYR0=; b=QPEKtih3LC7rcD4I9pqMt1YLvwN9uCEZv/QxgvLwEqO3oU10lxiV/Er1ODKcpFntPv KhcXNmaIRK111xBI9uNCVj0YUH1g1m5/O8xDFlBBD97e6ICmo1f+3wrC0rSvHZuhu0en S+cUapeIPs79K6iVb6d4EDPy4ycKIK26dbWzMzgA62xEWOd0iaLfqQj5MD8f7hcDFVRy rOefCoyG7OzewKPv1nAovykM6itQGJLJMFWVlIl4cKBB2TYMd1fYcf3H3YmI93MuN9T9 UqjteZc13DSdMDhz9jcz18WBRNEVXB/Wr5AvZ2W3/FTcQxpmvHU9+7tUZ0vyCFdpRe4G moTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xiRcf4xY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 23si11474363edx.559.2020.08.10.08.38.34; Mon, 10 Aug 2020 08:38:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xiRcf4xY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728926AbgHJPiH (ORCPT + 99 others); Mon, 10 Aug 2020 11:38:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:60170 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728513AbgHJP0Q (ORCPT ); Mon, 10 Aug 2020 11:26:16 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A633520658; Mon, 10 Aug 2020 15:26:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597073175; bh=zn1+86pPO0MeKxVnkura4kzFBwLZ2uBgm92quMahL+U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xiRcf4xYT7BiD6YplR7z6trVKxNHQjl66fz4OIFBneB0+aNwQIwCIoR6B7D6VXkwb F5yR9XVJNS8M75XdSMlWgbp8FaE/ztd/UYmZJvFjZ7HqlledP7td368kyNlyzsynE8 MFj0HDE6nVtq28fTgEjjqg7Dmy+0suXwTvU8sHHo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com, syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com, Hillf Danton , Takashi Iwai Subject: [PATCH 5.4 13/67] ALSA: seq: oss: Serialize ioctls Date: Mon, 10 Aug 2020 17:21:00 +0200 Message-Id: <20200810151810.080801939@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151809.438685785@linuxfoundation.org> References: <20200810151809.438685785@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/core/seq/oss/seq_oss.c +++ b/sound/core/seq/oss/seq_oss.c @@ -168,10 +168,16 @@ static long odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct seq_oss_devinfo *dp; + long rc; + dp = file->private_data; if (snd_BUG_ON(!dp)) return -ENXIO; - return snd_seq_oss_ioctl(dp, cmd, arg); + + mutex_lock(®ister_mutex); + rc = snd_seq_oss_ioctl(dp, cmd, arg); + mutex_unlock(®ister_mutex); + return rc; } #ifdef CONFIG_COMPAT