On Thu, May 07, 2020 at 12:19:18PM +0200, Takashi Iwai wrote: > On Thu, 07 May 2020 12:13:10 +0200, > Greg Kroah-Hartman wrote: > > > > On Thu, May 07, 2020 at 11:56:22AM +0200, Takashi Iwai wrote: > > > On Thu, 07 May 2020 10:23:02 +0200, > > > Greg Kroah-Hartman wrote: > > > > > > > > On Thu, May 07, 2020 at 04:04:25PM +0800, butt3rflyh4ck wrote: > > > > > I report a bug (in linux-5.7-rc1) found by syzkaller. > > > > > > > > > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.7.0-rc1.config > > > > > reproducer: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/repro.cprog > > > > > > > > > > I test the reproducer in linux-5.7-rc4 and crash too. > > > > > > > > Great, care to create a fix for this and send it to the proper > > > > maintainers? That's the best way to get it fixed, otherwise it just > > > > goes in the file with the rest of the syzbot reports we are burried > > > > under. > > > > > > Don't worry, I already prepared a fix patch below :) > > > > > > > > > thanks, > > > > > > Takashi > > > > > > -- 8< -- > > > From: Takashi Iwai <tiwai@xxxxxxx> > > > Subject: [PATCH] ALSA: rawmidi: Fix racy buffer resize under concurrent > > > accesses > > > > > > The rawmidi core allows user to resize the runtime buffer via ioctl, > > > and this may lead to UAF when performed during concurrent reads or > > > writes. > > > > > > This patch fixes the race by introducing a reference counter for the > > > runtime buffer access and returns -EBUSY error when the resize is > > > performed concurrently. > > > > > > Reported-by: butt3rflyh4ck <butterflyhuangxx@xxxxxxxxx> > > > Cc: <stable@xxxxxxxxxxxxxxx> > > > Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@xxxxxxxxxxxxxx > > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > > > --- > > > include/sound/rawmidi.h | 1 + > > > sound/core/rawmidi.c | 29 ++++++++++++++++++++++++++++- > > > 2 files changed, 29 insertions(+), 1 deletion(-) > > > > > > diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h > > > index a36b7227a15a..334842daa904 100644 > > > --- a/include/sound/rawmidi.h > > > +++ b/include/sound/rawmidi.h > > > @@ -61,6 +61,7 @@ struct snd_rawmidi_runtime { > > > size_t avail_min; /* min avail for wakeup */ > > > size_t avail; /* max used buffer for wakeup */ > > > size_t xruns; /* over/underruns counter */ > > > + int buffer_ref; /* buffer reference count */ > > > /* misc */ > > > spinlock_t lock; > > > wait_queue_head_t sleep; > > > diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c > > > index 20dd08e1f675..4185d9e81e3c 100644 > > > --- a/sound/core/rawmidi.c > > > +++ b/sound/core/rawmidi.c > > > @@ -120,6 +120,17 @@ static void snd_rawmidi_input_event_work(struct work_struct *work) > > > runtime->event(runtime->substream); > > > } > > > > > > +/* buffer refcount management: call with runtime->lock held */ > > > +static inline void snd_rawmidi_buffer_ref(struct snd_rawmidi_runtime *runtime) > > > +{ > > > + runtime->buffer_ref++; > > > +} > > > + > > > +static inline void snd_rawmidi_buffer_unref(struct snd_rawmidi_runtime *runtime) > > > +{ > > > + runtime->buffer_ref--; > > > +} > > > > Why not use the reference count structure? > > The context accessing the buffer is always with the spinlock, so we > don't need expensive atomic ops there. > > Usually this kind of check can be a simple boolean flag, but in this > case, there is one place that goes out of lock due to > copy_from/to_user, so a refcount is used in this patch instead. Ah, ok, thanks for the explanation. greg k-h
