review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Thu, 7 May 2020 11:44:56 +0000 (13:44 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 20 May 2020 06:20:30 +0000 (08:20 +0200)
commit	3fa58fc9f8c4d2b3557bca4363653464546e497e
tree	4d51f58070b6cca7bef5c6af38755898b8f64d71	tree \| snapshot
parent	04ccdf6b031d5bd738b8f9c6370cdfe856b551b5	commit \| diff

ALSA: rawmidi: Fix racy buffer resize under concurrent accesses

commit c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d upstream.

The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or
writes: the read/write functions unlock the runtime lock temporarily
during copying form/to user-space, and that's the race window.

This patch fixes the hole by introducing a reference counter for the
runtime buffer read/write access and returns -EBUSY error when the
resize is performed concurrently against read/write.

Note that the ref count field is a simple integer instead of
refcount_t here, since the all contexts accessing the buffer is
basically protected with a spinlock, hence we need no expensive atomic
ops. Also, note that this busy check is needed only against read /
write functions, and not in receive/transmit callbacks; the race can
happen only at the spinlock hole mentioned in the above, while the
whole function is protected for receive / transmit callbacks.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/sound/rawmidi.h		diff \| blob \| history
sound/core/rawmidi.c		diff \| blob \| history