Received: by 10.223.164.202 with SMTP id h10csp206991wrb;
        Mon, 13 Nov 2017 05:16:23 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbmapJL5aca21fAO6nCiQTjJKe7ul5FfP+r6mcVMkQ0IubEye2Hl5YYGOdOXw3Q7dNTx69n
X-Received: by 10.84.225.134 with SMTP id u6mr3506525plj.69.1510578983426;
        Mon, 13 Nov 2017 05:16:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510578983; cv=none;
        d=google.com; s=arc-20160816;
        b=zJcZSQNM1yFZHDCQ5oatAyzoumW4NQ57uBEr0Ns5VlW3YsKQ4yaGv5xApK/DtPIhA5
         IhpFJf14LQc87gyfQU7SVtsdtnmCeldE5mdlhwGXEkRF9UDpXfBz3ElvhfPSq5T7T6oW
         vcnUf7QhQCJsvIsEpOoJofeWebIvXBSn3SRl7l5zYjq3/VjgiqoJ+LsWeOWvNzDOqGCd
         z20rAiqpAZI9RugPFTx2CTPXp0vl4bEnTvshu6e7eA9wFCik+dFlORFJCUYoU8sxjduZ
         LHCrIAGlI5JEHtU89OtgNTzJ26F/WajY5+Xukd18vQCD34FTGHCofgx5rkEs6LLJ9k5+
         mY/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=YarAZ0hT1YotYaUcWJBAmnPdov0L0u3fpRophyYldAE=;
        b=aM/qAy3C4lwDKBybBsBsAmDuR7eH92XC7ylKXbucBJVbRx/8WGNTf3/mYw61rry2O9
         2wDPoTD9q1Ayx9qLFyseKqXPhEFnRw9V0zNkg71r6xZK23nG/8+SITeJnUxksdq0uTXY
         nYxBMrJgs2ZF/nuf0dgWq+6TcwtdbS5ajJS4pro2Y6HGu4NV1kkzBFHmvUudaP4cMtib
         L3fr/kHomlGjeO/0ye1+CeRyQJaAFrZxAWQhpk6tflR/FQ6wjfs71VqstxvzENaX+CZK
         qZ0GylQ9d+iDIga5/5XSNoAIZ6e0DsH3meXWWUSQm5yJKKyGIh89doZcBx2vs6JHz5gU
         AUmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r7si14183106plo.348.2017.11.13.05.16.10;
        Mon, 13 Nov 2017 05:16:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754948AbdKMNCs (ORCPT <rfc822;0330sisy@gmail.com> + 95 others);
        Mon, 13 Nov 2017 08:02:48 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:51282 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754296AbdKMNCq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Nov 2017 08:02:46 -0500
Received: from localhost (LFbn-1-12253-150.w90-92.abo.wanadoo.fr [90.92.67.150])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id A3759AB5;
        Mon, 13 Nov 2017 13:02:45 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
        Mark Salyzyn <salyzyn@android.com>,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.9 62/87] ALSA: seq: Fix OSS sysex delivery in OSS emulation
Date:   Mon, 13 Nov 2017 13:56:19 +0100
Message-Id: <20171113125620.983586708@linuxfoundation.org>
X-Mailer: git-send-email 2.15.0
In-Reply-To: <20171113125615.304035578@linuxfoundation.org>
References: <20171113125615.304035578@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 132d358b183ac6ad8b3fea32ad5e0663456d18d1 upstream.

The SYSEX event delivery in OSS sequencer emulation assumed that the
event is encoded in the variable-length data with the straight
buffering.  This was the normal behavior in the past, but during the
development, the chained buffers were introduced for carrying more
data, while the OSS code was left intact.  As a result, when a SYSEX
event with the chained buffer data is passed to OSS sequencer port,
it may end up with the wrong memory access, as if it were having a too
large buffer.

This patch addresses the bug, by applying the buffer data expansion by
the generic snd_seq_dump_var_event() helper function.

Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Mark Salyzyn <salyzyn@android.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/oss/seq_oss_midi.c  |    4 +---
 sound/core/seq/oss/seq_oss_readq.c |   29 +++++++++++++++++++++++++++++
 sound/core/seq/oss/seq_oss_readq.h |    2 ++
 3 files changed, 32 insertions(+), 3 deletions(-)

--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -612,9 +612,7 @@ send_midi_event(struct seq_oss_devinfo *
 	if (!dp->timer->running)
 		len = snd_seq_oss_timer_start(dp->timer);
 	if (ev->type == SNDRV_SEQ_EVENT_SYSEX) {
-		if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) == SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
-			snd_seq_oss_readq_puts(dp->readq, mdev->seq_device,
-					       ev->data.ext.ptr, ev->data.ext.len);
+		snd_seq_oss_readq_sysex(dp->readq, mdev->seq_device, ev);
 	} else {
 		len = snd_midi_event_decode(mdev->coder, msg, sizeof(msg), ev);
 		if (len > 0)
--- a/sound/core/seq/oss/seq_oss_readq.c
+++ b/sound/core/seq/oss/seq_oss_readq.c
@@ -118,6 +118,35 @@ snd_seq_oss_readq_puts(struct seq_oss_re
 }
 
 /*
+ * put MIDI sysex bytes; the event buffer may be chained, thus it has
+ * to be expanded via snd_seq_dump_var_event().
+ */
+struct readq_sysex_ctx {
+	struct seq_oss_readq *readq;
+	int dev;
+};
+
+static int readq_dump_sysex(void *ptr, void *buf, int count)
+{
+	struct readq_sysex_ctx *ctx = ptr;
+
+	return snd_seq_oss_readq_puts(ctx->readq, ctx->dev, buf, count);
+}
+
+int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev,
+			    struct snd_seq_event *ev)
+{
+	struct readq_sysex_ctx ctx = {
+		.readq = q,
+		.dev = dev
+	};
+
+	if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
+		return 0;
+	return snd_seq_dump_var_event(ev, readq_dump_sysex, &ctx);
+}
+
+/*
  * copy an event to input queue:
  * return zero if enqueued
  */
--- a/sound/core/seq/oss/seq_oss_readq.h
+++ b/sound/core/seq/oss/seq_oss_readq.h
@@ -44,6 +44,8 @@ void snd_seq_oss_readq_delete(struct seq
 void snd_seq_oss_readq_clear(struct seq_oss_readq *readq);
 unsigned int snd_seq_oss_readq_poll(struct seq_oss_readq *readq, struct file *file, poll_table *wait);
 int snd_seq_oss_readq_puts(struct seq_oss_readq *readq, int dev, unsigned char *data, int len);
+int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev,
+			    struct snd_seq_event *ev);
 int snd_seq_oss_readq_put_event(struct seq_oss_readq *readq, union evrec *ev);
 int snd_seq_oss_readq_put_timestamp(struct seq_oss_readq *readq, unsigned long curt, int seq_mode);
 int snd_seq_oss_readq_pick(struct seq_oss_readq *q, union evrec *rec);



From 1583956622264995848@xxx Mon Nov 13 13:12:28 +0000 2017
X-GM-THRID: 1583955844931176488
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread