release/5.2.58/ALSA-seq-oss-Serialize-ioctls.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From a075e2e7b1c4059e94d8b81fea2fb157cb880b2b Mon Sep 17 00:00:00 2001
 From: Takashi Iwai <tiwai@suse.de>
 Date: Tue, 4 Aug 2020 20:58:15 +0200
 Subject: [PATCH] ALSA: seq: oss: Serialize ioctls

 commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream.

 Some ioctls via OSS sequencer API may race and lead to UAF when the
 port create and delete are performed concurrently, as spotted by a
 couple of syzkaller cases.  This patch is an attempt to address it by
 serializing the ioctls with the existing register_mutex.

 Basically OSS sequencer API is an obsoleted interface and was designed
 without much consideration of the concurrency.  There are very few
 applications with it, and the concurrent performance isn't asked,
 hence this "big hammer" approach should be good enough.

 Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com
 Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com
 Suggested-by: Hillf Danton <hdanton@sina.com>
 Cc: <stable@vger.kernel.org>
 Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c
 index 17f913657304..c8b9c0b315d8 100644
 --- a/sound/core/seq/oss/seq_oss.c
 +++ b/sound/core/seq/oss/seq_oss.c
 @@ -168,10 +168,16 @@ static long
  odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  {
  	struct seq_oss_devinfo *dp;
 +	long rc;
 +
  	dp = file->private_data;
  	if (snd_BUG_ON(!dp))
  		return -ENXIO;
 -	return snd_seq_oss_ioctl(dp, cmd, arg);
 +
 +	mutex_lock(&register_mutex);
 +	rc = snd_seq_oss_ioctl(dp, cmd, arg);
 +	mutex_unlock(&register_mutex);
 +	return rc;
  }

  #ifdef CONFIG_COMPAT
 --
 2.27.0
	From a075e2e7b1c4059e94d8b81fea2fb157cb880b2b Mon Sep 17 00:00:00 2001
	From: Takashi Iwai <tiwai@suse.de>
	Date: Tue, 4 Aug 2020 20:58:15 +0200
	Subject: [PATCH] ALSA: seq: oss: Serialize ioctls

	commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream.

	Some ioctls via OSS sequencer API may race and lead to UAF when the
	port create and delete are performed concurrently, as spotted by a
	couple of syzkaller cases. This patch is an attempt to address it by
	serializing the ioctls with the existing register_mutex.

	Basically OSS sequencer API is an obsoleted interface and was designed
	without much consideration of the concurrency. There are very few
	applications with it, and the concurrent performance isn't asked,
	hence this "big hammer" approach should be good enough.

	Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com
	Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com
	Suggested-by: Hillf Danton <hdanton@sina.com>
	Cc: <stable@vger.kernel.org>
	Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c
	index 17f913657304..c8b9c0b315d8 100644
	--- a/sound/core/seq/oss/seq_oss.c
	+++ b/sound/core/seq/oss/seq_oss.c
	@@ -168,10 +168,16 @@ static long
	odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
	{
	struct seq_oss_devinfo *dp;
	+ long rc;
	+
	dp = file->private_data;
	if (snd_BUG_ON(!dp))
	return -ENXIO;
	- return snd_seq_oss_ioctl(dp, cmd, arg);
	+
	+ mutex_lock(&register_mutex);
	+ rc = snd_seq_oss_ioctl(dp, cmd, arg);
	+ mutex_unlock(&register_mutex);
	+ return rc;
	}

	#ifdef CONFIG_COMPAT
	--
	2.27.0