Commit b5937013 authored by Takashi Iwai's avatar Takashi Iwai Committed by Kelsey Skunberg

ALSA: seq: oss: Serialize ioctls

BugLink: https://bugs.launchpad.net/bugs/1892822

commit 80982c7e upstream.

Some ioctls via OSS sequencer API may race and lead to UAF when the
port create and delete are performed concurrently, as spotted by a
couple of syzkaller cases.  This patch is an attempt to address it by
serializing the ioctls with the existing register_mutex.

Basically OSS sequencer API is an obsoleted interface and was designed
without much consideration of the concurrency.  There are very few
applications with it, and the concurrent performance isn't asked,
hence this "big hammer" approach should be good enough.

Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com
Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com
Suggested-by: default avatarHillf Danton <hdanton@sina.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarIan May <ian.may@canonical.com>
Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
parent 8562f398
...@@ -180,10 +180,16 @@ static long ...@@ -180,10 +180,16 @@ static long
odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{ {
struct seq_oss_devinfo *dp; struct seq_oss_devinfo *dp;
long rc;
dp = file->private_data; dp = file->private_data;
if (snd_BUG_ON(!dp)) if (snd_BUG_ON(!dp))
return -ENXIO; return -ENXIO;
return snd_seq_oss_ioctl(dp, cmd, arg);
mutex_lock(&register_mutex);
rc = snd_seq_oss_ioctl(dp, cmd, arg);
mutex_unlock(&register_mutex);
return rc;
} }
#ifdef CONFIG_COMPAT #ifdef CONFIG_COMPAT
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment