[thirdparty/kernel/stable-queue.git] / queue-5.1 / alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch

From b9ab7c8a9ce76312d4696c6f9004dd8de29ec702 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 9 Apr 2019 17:35:22 +0200
Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex

[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]

ALSA OSS sequencer calls the ioctl function indirectly via
snd_seq_kernel_client_ctl().  While we already applied the protection
against races between the normal ioctls and writes via the client's
ioctl_mutex, this code path was left untouched.  And this seems to be
the cause of still remaining some rare UAF as spontaneously triggered
by syzkaller.

For the sake of robustness, wrap the ioctl_mutex also for the call via
snd_seq_kernel_client_ctl(), too.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/seq/seq_clientmgr.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 38e7deab6384..b3280e81bfd1 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
 {
 	const struct ioctl_handler *handler;
 	struct snd_seq_client *client;
+	int err;
 
 	client = clientptr(clientid);
 	if (client == NULL)
 		return -ENXIO;
 
 	for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
-		if (handler->cmd == cmd)
-			return handler->func(client, arg);
+		if (handler->cmd == cmd) {
+			mutex_lock(&client->ioctl_mutex);
+			err = handler->func(client, arg);
+			mutex_unlock(&client->ioctl_mutex);
+			return err;
+		}
 	}
 
 	pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
-- 
2.20.1
Commit	Line	Data
d50b8c78 SL	1	From b9ab7c8a9ce76312d4696c6f9004dd8de29ec702 Mon Sep 17 00:00:00 2001
	2	From: Takashi Iwai <tiwai@suse.de>
	3	Date: Tue, 9 Apr 2019 17:35:22 +0200
	4	Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex
	5
	6	[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
	7
	8	ALSA OSS sequencer calls the ioctl function indirectly via
	9	snd_seq_kernel_client_ctl(). While we already applied the protection
	10	against races between the normal ioctls and writes via the client's
	11	ioctl_mutex, this code path was left untouched. And this seems to be
	12	the cause of still remaining some rare UAF as spontaneously triggered
	13	by syzkaller.
	14
	15	For the sake of robustness, wrap the ioctl_mutex also for the call via
	16	snd_seq_kernel_client_ctl(), too.
	17
	18	Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
	19	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	20	Signed-off-by: Sasha Levin <sashal@kernel.org>
	21	---
	22	sound/core/seq/seq_clientmgr.c \| 9 +++++++--
	23	1 file changed, 7 insertions(+), 2 deletions(-)
	24
	25	diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
	26	index 38e7deab6384..b3280e81bfd1 100644
	27	--- a/sound/core/seq/seq_clientmgr.c
	28	+++ b/sound/core/seq/seq_clientmgr.c
	29	@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
	30	{
	31	const struct ioctl_handler *handler;
	32	struct snd_seq_client *client;
	33	+ int err;
	34
	35	client = clientptr(clientid);
	36	if (client == NULL)
	37	return -ENXIO;
	38
	39	for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
	40	- if (handler->cmd == cmd)
	41	- return handler->func(client, arg);
	42	+ if (handler->cmd == cmd) {
	43	+ mutex_lock(&client->ioctl_mutex);
	44	+ err = handler->func(client, arg);
	45	+ mutex_unlock(&client->ioctl_mutex);
	46	+ return err;
	47	+ }
	48	}
	49
	50	pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
	51	--
	52	2.20.1
	53