CVE-2017-1000380-ALSA-timer-Fix-missing-queue-indices-reset-at-SNDRV_.patch

   1 From 993c7c14bbc4bf51025bb5c83c1c130417e0e823 Mon Sep 17 00:00:00 2001
   2 From: Takashi Iwai <tiwai@suse.de>
   3 Date: Wed, 21 Jun 2017 18:56:02 +0200
   4 Subject: [PATCH 2/5] ALSA: timer: Fix missing queue indices reset at
   5  SNDRV_TIMER_IOCTL_SELECT
   6
   7 snd_timer_user_tselect() reallocates the queue buffer dynamically, but
   8 it forgot to reset its indices.  Since the read may happen
   9 concurrently with ioctl and snd_timer_user_tselect() allocates the
  10 buffer via kmalloc(), this may lead to the leak of uninitialized
  11 kernel-space data, as spotted via KMSAN:
  12
  13   BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
  14   CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
  15   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  16   Call Trace:
  17    __dump_stack lib/dump_stack.c:16
  18    dump_stack+0x143/0x1b0 lib/dump_stack.c:52
  19    kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
  20    kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
  21    copy_to_user ./arch/x86/include/asm/uaccess.h:725
  22    snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
  23    do_loop_readv_writev fs/read_write.c:716
  24    __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
  25    do_readv_writev fs/read_write.c:894
  26    vfs_readv fs/read_write.c:908
  27    do_readv+0x52a/0x5d0 fs/read_write.c:934
  28    SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
  29    SyS_readv+0x87/0xb0 fs/read_write.c:1018
  30
  31 This patch adds the missing reset of queue indices.  Together with the
  32 previous fix for the ioctl/read race, we cover the whole problem.
  33
  34 Reported-by: Alexander Potapenko <glider@google.com>
  35 Tested-by: Alexander Potapenko <glider@google.com>
  36 Cc: <stable@vger.kernel.org>
  37 Signed-off-by: Takashi Iwai <tiwai@suse.de>
  38
  39 CVE-2017-1000380
  40
  41 (cherry-picked from commit ba3021b2c79b2fa9114f92790a99deb27a65b728)
  42 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
  43 Acked-by: Seth Forshee <seth.forshee@canonical.com>
  44 Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
  45 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
  46
  47 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  48 ---
  49  sound/core/timer.c | 1 +
  50  1 file changed, 1 insertion(+)
  51
  52 diff --git a/sound/core/timer.c b/sound/core/timer.c
  53 index 3c11a6983f54..e5ddc475dca4 100644
  54 --- a/sound/core/timer.c
  55 +++ b/sound/core/timer.c
  56 @@ -1622,6 +1622,7 @@ static int snd_timer_user_tselect(struct file *file,
  57         if (err < 0)
  58                 goto __err;
  59
  60 +       tu->qhead = tu->qtail = tu->qused = 0;
  61         kfree(tu->queue);
  62         tu->queue = NULL;
  63         kfree(tu->tqueue);
  64 --
  65 2.11.0
  66