git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Thu, 7 May 2020 11:44:56 +0000 (13:44 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 20 May 2020 06:18:47 +0000 (08:18 +0200)
commit	a507658fdb2ad8ca282b0eb42f2a40b805deb1e6
tree	c114466c3a826c55ee199e6db86e18f50010dc71	tree \| snapshot
parent	f8685c334d53045b189f84b59bb3c4c58d32f58e	commit \| diff

ALSA: rawmidi: Fix racy buffer resize under concurrent accesses

commit c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d upstream.

The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or
writes: the read/write functions unlock the runtime lock temporarily
during copying form/to user-space, and that's the race window.

This patch fixes the hole by introducing a reference counter for the
runtime buffer read/write access and returns -EBUSY error when the
resize is performed concurrently against read/write.

Note that the ref count field is a simple integer instead of
refcount_t here, since the all contexts accessing the buffer is
basically protected with a spinlock, hence we need no expensive atomic
ops. Also, note that this busy check is needed only against read /
write functions, and not in receive/transmit callbacks; the race can
happen only at the spinlock hole mentioned in the above, while the
whole function is protected for receive / transmit callbacks.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/sound/rawmidi.h		diff \| blob \| blame \| history
sound/core/rawmidi.c		diff \| blob \| blame \| history