]>
Commit | Line | Data |
---|---|---|
d50b8c78 SL |
1 | From b9ab7c8a9ce76312d4696c6f9004dd8de29ec702 Mon Sep 17 00:00:00 2001 |
2 | From: Takashi Iwai <tiwai@suse.de> | |
3 | Date: Tue, 9 Apr 2019 17:35:22 +0200 | |
4 | Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex | |
5 | ||
6 | [ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] | |
7 | ||
8 | ALSA OSS sequencer calls the ioctl function indirectly via | |
9 | snd_seq_kernel_client_ctl(). While we already applied the protection | |
10 | against races between the normal ioctls and writes via the client's | |
11 | ioctl_mutex, this code path was left untouched. And this seems to be | |
12 | the cause of still remaining some rare UAF as spontaneously triggered | |
13 | by syzkaller. | |
14 | ||
15 | For the sake of robustness, wrap the ioctl_mutex also for the call via | |
16 | snd_seq_kernel_client_ctl(), too. | |
17 | ||
18 | Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com | |
19 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | |
20 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
21 | --- | |
22 | sound/core/seq/seq_clientmgr.c | 9 +++++++-- | |
23 | 1 file changed, 7 insertions(+), 2 deletions(-) | |
24 | ||
25 | diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c | |
26 | index 38e7deab6384..b3280e81bfd1 100644 | |
27 | --- a/sound/core/seq/seq_clientmgr.c | |
28 | +++ b/sound/core/seq/seq_clientmgr.c | |
29 | @@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) | |
30 | { | |
31 | const struct ioctl_handler *handler; | |
32 | struct snd_seq_client *client; | |
33 | + int err; | |
34 | ||
35 | client = clientptr(clientid); | |
36 | if (client == NULL) | |
37 | return -ENXIO; | |
38 | ||
39 | for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { | |
40 | - if (handler->cmd == cmd) | |
41 | - return handler->func(client, arg); | |
42 | + if (handler->cmd == cmd) { | |
43 | + mutex_lock(&client->ioctl_mutex); | |
44 | + err = handler->func(client, arg); | |
45 | + mutex_unlock(&client->ioctl_mutex); | |
46 | + return err; | |
47 | + } | |
48 | } | |
49 | ||
50 | pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", | |
51 | -- | |
52 | 2.20.1 | |
53 |