| From a075e2e7b1c4059e94d8b81fea2fb157cb880b2b Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Tue, 4 Aug 2020 20:58:15 +0200 |
| Subject: [PATCH] ALSA: seq: oss: Serialize ioctls |
| |
| commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. |
| |
| Some ioctls via OSS sequencer API may race and lead to UAF when the |
| port create and delete are performed concurrently, as spotted by a |
| couple of syzkaller cases. This patch is an attempt to address it by |
| serializing the ioctls with the existing register_mutex. |
| |
| Basically OSS sequencer API is an obsoleted interface and was designed |
| without much consideration of the concurrency. There are very few |
| applications with it, and the concurrent performance isn't asked, |
| hence this "big hammer" approach should be good enough. |
| |
| Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com |
| Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com |
| Suggested-by: Hillf Danton <hdanton@sina.com> |
| Cc: <stable@vger.kernel.org> |
| Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c |
| index 17f913657304..c8b9c0b315d8 100644 |
| --- a/sound/core/seq/oss/seq_oss.c |
| +++ b/sound/core/seq/oss/seq_oss.c |
| @@ -168,10 +168,16 @@ static long |
| odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) |
| { |
| struct seq_oss_devinfo *dp; |
| + long rc; |
| + |
| dp = file->private_data; |
| if (snd_BUG_ON(!dp)) |
| return -ENXIO; |
| - return snd_seq_oss_ioctl(dp, cmd, arg); |
| + |
| + mutex_lock(®ister_mutex); |
| + rc = snd_seq_oss_ioctl(dp, cmd, arg); |
| + mutex_unlock(®ister_mutex); |
| + return rc; |
| } |
| |
| #ifdef CONFIG_COMPAT |
| -- |
| 2.27.0 |
| |