| From 0dac35c9ecfbcdf5b1b3e0640fa6fcc58a6be6a3 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Wed, 15 Jan 2020 21:37:33 +0100 |
| Subject: [PATCH] ALSA: seq: Fix racy access for queue timer in proc read |
| |
| commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream. |
| |
| snd_seq_info_timer_read() reads the information of the timer assigned |
| for each queue, but it's done in a racy way which may lead to UAF as |
| spotted by syzkaller. |
| |
| This patch applies the missing q->timer_mutex lock while accessing the |
| timer object as well as a slight code change to adapt the standard |
| coding style. |
| |
| Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com |
| Cc: <stable@vger.kernel.org> |
| Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c |
| index 161f3170bd7e..3bc6095df44d 100644 |
| --- a/sound/core/seq/seq_timer.c |
| +++ b/sound/core/seq/seq_timer.c |
| @@ -465,15 +465,19 @@ void snd_seq_info_timer_read(struct snd_info_entry *entry, |
| q = queueptr(idx); |
| if (q == NULL) |
| continue; |
| - if ((tmr = q->timer) == NULL || |
| - (ti = tmr->timeri) == NULL) { |
| - queuefree(q); |
| - continue; |
| - } |
| + mutex_lock(&q->timer_mutex); |
| + tmr = q->timer; |
| + if (!tmr) |
| + goto unlock; |
| + ti = tmr->timeri; |
| + if (!ti) |
| + goto unlock; |
| snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name); |
| resolution = snd_timer_resolution(ti) * tmr->ticks; |
| snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000); |
| snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base); |
| +unlock: |
| + mutex_unlock(&q->timer_mutex); |
| queuefree(q); |
| } |
| } |
| -- |
| 2.7.4 |
| |
