git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Thu, 26 Apr 2018 07:17:45 +0000 (09:17 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Tue, 14 Aug 2018 10:24:55 +0000 (12:24 +0200)
commit	a51f4ba1ef31e095e324d3f599ab2c117e06ff1b
tree	1d91a6bf1294dd9a46395daaebe321569d18c7c9	tree
parent	0516929668addeaca59f787a6cac6e7000fe2515	commit \| diff

ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()

BugLink: http://bugs.launchpad.net/bugs/1778759
commit 8f22e52528cc372b218b5f100457469615c733ce upstream.

The sequencer virmidi code has an open race at its output trigger
callback: namely, virmidi keeps only one event packet for processing
while it doesn't protect for concurrent output trigger calls.

snd_virmidi_output_trigger() tries to process the previously
unfinished event before starting encoding the given MIDI stream, but
this is done without any lock. Meanwhile, if another rawmidi stream
starts the output trigger, this proceeds further, and overwrites the
event package that is being processed in another thread. This
eventually corrupts and may lead to the invalid memory access if the
event type is like SYSEX.

The fix is just to move the spinlock to cover both the pending event
and the new stream.

The bug was spotted by a new fuzzer, RaceFuzzer.

BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>