| From d85739367c6d56e475c281945c68fdb05ca74b4c Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Mon, 5 Mar 2018 22:00:55 +0100 |
| Subject: ALSA: seq: Don't allow resizing pool in use |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit d85739367c6d56e475c281945c68fdb05ca74b4c upstream. |
| |
| This is a fix for a (sort of) fallout in the recent commit |
| d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for |
| CVE-2018-1000004. |
| As the pool resize deletes the existing cells, it may lead to a race |
| when another thread is writing concurrently, eventually resulting a |
| UAF. |
| |
| A simple workaround is not to allow the pool resizing when the pool is |
| in use. It's an invalid behavior in anyway. |
| |
| Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations") |
| Reported-by: 范龙飞 <long7573@126.com> |
| Reported-by: Nicolai Stange <nstange@suse.de> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/seq/seq_clientmgr.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/sound/core/seq/seq_clientmgr.c |
| +++ b/sound/core/seq/seq_clientmgr.c |
| @@ -1834,6 +1834,9 @@ static int snd_seq_ioctl_set_client_pool |
| (! snd_seq_write_pool_allocated(client) || |
| info->output_pool != client->pool->size)) { |
| if (snd_seq_write_pool_allocated(client)) { |
| + /* is the pool in use? */ |
| + if (atomic_read(&client->pool->counter)) |
| + return -EBUSY; |
| /* remove all existing cells */ |
| snd_seq_pool_mark_closing(client->pool); |
| snd_seq_queue_client_leave_cells(client->number); |