From patchwork Thu Apr 13 14:17:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1768502 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=luiVTR5T; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Py1rl0yYzz1yZZ for ; Fri, 14 Apr 2023 00:18:15 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pmxm5-0004WZ-NQ; Thu, 13 Apr 2023 14:18:09 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pmxm4-0004W2-6s for kernel-team@lists.ubuntu.com; Thu, 13 Apr 2023 14:18:08 +0000 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 373FD3F230 for ; Thu, 13 Apr 2023 14:18:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1681395487; bh=lZFP5HX1Ya5pM4Bk2ab4CcvJIWwPF5Zie1b+a2wSOMw=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=luiVTR5T2Rwuz4IIb3Va1bYUTNI9yKChBchIDYS/CtEk1uyT+GDfAKZXE2YJbumiL sTnMjcgxwRxqrmXkurAuzikpdFD8IWFsfnvyU7DCUY5SOcUkXHcUffdPzT1By68w4E byAhHOeMXMSEyYisEaVkPm7lEKVg+X9eRaolxp5JtrpO+KEwF1a6EzIhMtmOkCTuuk qGGFxUehvOzkPDIx9sBh4z57NtO5ZKn0TJ9Dt8a5xa1zcDkIv4lalWLn80A/zuQgk+ ku5ojNFC9KH8XzbcMAxp6X7uxCs01Hp8h8rCniFECGR9+2+lhj+7LSi4unCFj0xR8p Wpj6IuBMO3odQ== Received: by mail-ed1-f71.google.com with SMTP id 4fb4d7f45d1cf-50470e94f8dso3232763a12.1 for ; Thu, 13 Apr 2023 07:18:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681395486; x=1683987486; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lZFP5HX1Ya5pM4Bk2ab4CcvJIWwPF5Zie1b+a2wSOMw=; b=ZfViogMmm9Om1Y84ozfY3GXayJn6ZGgQAclxI0bChtWSM7OCyZjgFc2Ngr0b4yRXLu XliDJjAVzBcjqVZGxDFkQ6xpMPOwJaOigbzIlVcmGSVU2DsQ9rTcmjF/Hh74YvOdqGDm 4Qf+RV/vrS/Z/Dzan8hVItazWhSOEVR/IgQVrRxHHd3krAjl178YmQ95SkM5pc2Py6Li tvOYymQ2uMxqJ25HPoLZEccx7TyUibQrJsDs6+Qs08RdS4Ja9yjfyxnVriFx/bCT7U0/ WhbKmvyYJ9fAJ58YouQNc/j2dxzGFRAeQfjcj8/Y85WmjF5p+38PZX2NDIuhokvYOePb tgiQ== X-Gm-Message-State: AAQBX9ew3wiMQXnfue/YZgKGu5KPXQBOasfjXeDLVsgitXXW/pIk/aFk 68zHaFrW1Vss5VKeN/fEGDR1VcG0EoEHjkYmzSxINqzwClxUDeJgT5IvbZ9ZyXSYWQJ5vmi/oRQ xof/tm2Zj4H2oL6rGw6Fsep9BoL304il+FZPaSSSo+FOGpRjjF6nNExw= X-Received: by 2002:aa7:dccd:0:b0:4fb:eda4:c093 with SMTP id w13-20020aa7dccd000000b004fbeda4c093mr2713444edu.13.1681395485860; Thu, 13 Apr 2023 07:18:05 -0700 (PDT) X-Google-Smtp-Source: AKy350YBbLt2RNtXx/0TX6KQMwKK5+zY3tt4vFajiHYalb9YuD6UMfifBwdd5BCwPV+jJzp4CWIgbA== X-Received: by 2002:aa7:dccd:0:b0:4fb:eda4:c093 with SMTP id w13-20020aa7dccd000000b004fbeda4c093mr2713419edu.13.1681395485479; Thu, 13 Apr 2023 07:18:05 -0700 (PDT) Received: from localhost ([176.234.92.228]) by smtp.gmail.com with ESMTPSA id r8-20020aa7da08000000b004fd2a7aa1ecsm898210eds.32.2023.04.13.07.18.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Apr 2023 07:18:05 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-5.17 1/1] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC Date: Thu, 13 Apr 2023 17:17:56 +0300 Message-Id: <20230413141756.384369-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230413141756.384369-1-cengiz.can@canonical.com> References: <20230413141756.384369-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Takashi Iwai There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently. The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant. Reported-and-tested-by: butt3rflyh4ck Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de Signed-off-by: Takashi Iwai CVE-2022-3303 (cherry picked from commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d) Signed-off-by: Cengiz Can --- sound/core/oss/pcm_oss.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c index f158f0abd25d..ca4a692fe1c3 100644 --- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1664,14 +1664,14 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) runtime = substream->runtime; if (atomic_read(&substream->mmap_count)) goto __direct; - err = snd_pcm_oss_make_ready(substream); - if (err < 0) - return err; atomic_inc(&runtime->oss.rw_ref); if (mutex_lock_interruptible(&runtime->oss.params_lock)) { atomic_dec(&runtime->oss.rw_ref); return -ERESTARTSYS; } + err = snd_pcm_oss_make_ready_locked(substream); + if (err < 0) + goto unlock; format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); if (runtime->oss.buffer_used > 0) {