From patchwork Wed May 24 07:17:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1785556 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=jB7RewJB; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QR2Zj0GBLz20Q0 for ; Wed, 24 May 2023 17:17:48 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1q1ike-0004Xy-9G; Wed, 24 May 2023 07:17:40 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1q1ikc-0004XS-MR for kernel-team@lists.ubuntu.com; Wed, 24 May 2023 07:17:38 +0000 Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 08BAD3F20D for ; Wed, 24 May 2023 07:17:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1684912658; bh=DrKm5+6b7biiNlW6k48bznmzNFwhzAvoVhEXPx/ld4s=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=jB7RewJBauZyuG0B7saoW9mvmtAVpB6azXUBmi+EPBwfHkoB5ZCvo7iIeK+PjmJOI s6yamOSy+Plsqy0ErdwqRPBXON8mWEVXdauujNXCdip4RZb6npu+8yZ6XHAWm0cri2 F/iS4ghCplxS8xOy58wvVYYOjhlP1ZufDIw4yAgVL8st84Zun+lWg7+YgxYMtlR4Xg YRIg38Oz8Oqc3LxYDfcbdF1Z8ETDlqaBPfguQi9YZHGs++QKpNveHfUmaqTDyozAlY vrHHQcpmt2HewaOzGNqgwn9UP1DP7UWEmOaWvGCCApsqN8sz3YV5obsHZDztG8Cimn brAqccXJf4KZQ== Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-96f83b44939so51165966b.1 for ; Wed, 24 May 2023 00:17:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684912657; x=1687504657; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DrKm5+6b7biiNlW6k48bznmzNFwhzAvoVhEXPx/ld4s=; b=P3R5I6KOY4I/zR3L5yNdcyYL9oWaKXrqdzN8wKUlqbfGw44OlwXzWO7gLShxyRDHD4 hzavkKotvdCmSAQMxewIaKPmPxFr9KQqDChDwiRA+KbegG2qqPLtJjovh3P2PqBS+oaM Eg6TWWbYRcm0fp72Wv9s2dAXdt4kK/Ya30c1m/VPxf4bZ8jcTk97Q7dTym4d9tX8haRd NU1QURgFvbgsehQv9l8ZMxYPDKa82JGPcZbT+vYU6K320L3nFsPB+E+SYYrw+sC0r7BB GmA8tZv6UFmuv50LqSjjSCPzMP89BXzVWmbywfKxYMK5iWvsdXXCzf1E6/2OWEO2eQYy Xe+w== X-Gm-Message-State: AC+VfDyBBijdPV+dW6f3ZMskY9Opx8iqJ+j1gwrmbZZGoBj09HFZOG6o YyBChWH6jXilQQjNIEYuAG7V0xFfNR2Ygaxa0cMzPqUpMbuOrMVwwi2M9t2DC7WInF4Rwbggfzh icupNFCDR06xipGio2JOHis1IJn/adc0J8S7Alq6lhDN3fOqyS9dY X-Received: by 2002:a17:907:26c6:b0:955:dcc9:d101 with SMTP id bp6-20020a17090726c600b00955dcc9d101mr15082030ejc.18.1684912657367; Wed, 24 May 2023 00:17:37 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4uRCXDfUsgCUUWpXlYsErAGCutPs32NPHfIo0N7ZAlEQw8bT6SQ6Yi5i3AdlqOsHwxRQ/RaA== X-Received: by 2002:a17:907:26c6:b0:955:dcc9:d101 with SMTP id bp6-20020a17090726c600b00955dcc9d101mr15082017ejc.18.1684912657087; Wed, 24 May 2023 00:17:37 -0700 (PDT) Received: from localhost ([82.222.124.85]) by smtp.gmail.com with ESMTPSA id f20-20020a1709062c5400b009682b2b3d66sm5334670ejh.197.2023.05.24.00.17.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 May 2023 00:17:36 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic 1/1] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC Date: Wed, 24 May 2023 10:17:21 +0300 Message-Id: <20230524071719.122249-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230524071719.122249-1-cengiz.can@canonical.com> References: <20230524071719.122249-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sasha Levin [ Upstream commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d ] There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently. The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant. Reported-and-tested-by: butt3rflyh4ck Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin CVE-2022-3303 (cherry picked from commit 4051324a6dafd7053c74c475e80b3ba10ae672b0 linux-5.4.y) Signed-off-by: Cengiz Can --- sound/core/oss/pcm_oss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c index 87806dab321a..2bc560787ef6 100644 --- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1672,13 +1672,14 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) runtime = substream->runtime; if (atomic_read(&substream->mmap_count)) goto __direct; - if ((err = snd_pcm_oss_make_ready(substream)) < 0) - return err; atomic_inc(&runtime->oss.rw_ref); if (mutex_lock_interruptible(&runtime->oss.params_lock)) { atomic_dec(&runtime->oss.rw_ref); return -ERESTARTSYS; } + err = snd_pcm_oss_make_ready_locked(substream); + if (err < 0) + goto unlock; format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); if (runtime->oss.buffer_used > 0) {