]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit
ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
authorTakashi Iwai <tiwai@suse.de>
Thu, 7 May 2020 11:44:56 +0000 (13:44 +0200)
committerTakashi Iwai <tiwai@suse.de>
Thu, 7 May 2020 20:29:14 +0000 (22:29 +0200)
commitc1f6e3c818dd734c30f6a7eeebf232ba2cf3181d
treef8f8f8ef8c01671898324e506a5fdce5ed6d2da1
parentda7a8f1a8fc3e14c6dcc52b4098bddb8f20390be
ALSA: rawmidi: Fix racy buffer resize under concurrent accesses

The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or
writes: the read/write functions unlock the runtime lock temporarily
during copying form/to user-space, and that's the race window.

This patch fixes the hole by introducing a reference counter for the
runtime buffer read/write access and returns -EBUSY error when the
resize is performed concurrently against read/write.

Note that the ref count field is a simple integer instead of
refcount_t here, since the all contexts accessing the buffer is
basically protected with a spinlock, hence we need no expensive atomic
ops.  Also, note that this busy check is needed only against read /
write functions, and not in receive/transmit callbacks; the race can
happen only at the spinlock hole mentioned in the above, while the
whole function is protected for receive / transmit callbacks.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
include/sound/rawmidi.h
sound/core/rawmidi.c