Commit 80150b2c authored by Takashi Iwai's avatar Takashi Iwai Committed by Khalid Elmously

ALSA: seq: Fix racy access for queue timer in proc read

BugLink: https://bugs.launchpad.net/bugs/1860681

commit 60adcfde upstream.

snd_seq_info_timer_read() reads the information of the timer assigned
for each queue, but it's done in a racy way which may lead to UAF as
spotted by syzkaller.

This patch applies the missing q->timer_mutex lock while accessing the
timer object as well as a slight code change to adapt the standard
coding style.

Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 9637f7a1
...@@ -484,15 +484,19 @@ void snd_seq_info_timer_read(struct snd_info_entry *entry, ...@@ -484,15 +484,19 @@ void snd_seq_info_timer_read(struct snd_info_entry *entry,
q = queueptr(idx); q = queueptr(idx);
if (q == NULL) if (q == NULL)
continue; continue;
if ((tmr = q->timer) == NULL || mutex_lock(&q->timer_mutex);
(ti = tmr->timeri) == NULL) { tmr = q->timer;
queuefree(q); if (!tmr)
continue; goto unlock;
} ti = tmr->timeri;
if (!ti)
goto unlock;
snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name); snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
resolution = snd_timer_resolution(ti) * tmr->ticks; resolution = snd_timer_resolution(ti) * tmr->ticks;
snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000); snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base); snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base);
unlock:
mutex_unlock(&q->timer_mutex);
queuefree(q); queuefree(q);
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment