On Thu, 13 Jun 2019 10:33:44 +0200,
Greg Kroah-Hartman wrote:
>
> [ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
>
> ALSA OSS sequencer calls the ioctl function indirectly via
> snd_seq_kernel_client_ctl(). While we already applied the protection
> against races between the normal ioctls and writes via the client's
> ioctl_mutex, this code path was left untouched. And this seems to be
> the cause of still remaining some rare UAF as spontaneously triggered
> by syzkaller.
>
> For the sake of robustness, wrap the ioctl_mutex also for the call via
> snd_seq_kernel_client_ctl(), too.
>
> Reported-by: syzbot+e4c8abb920efa77bace9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
This commit is reverted later by commit f0654ba94e33.
So please drop this. The proper fix is done later by commit
7c32ae35fbf9 ("ALSA: seq: Cover unsubscribe_port() in list_mutex")
Ditto for 4.19.y and 5.1.y.
thanks,
Takashi
> ---
> sound/core/seq/seq_clientmgr.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
> index 3bcd7a2f0394..692631bd4a35 100644
> --- a/sound/core/seq/seq_clientmgr.c
> +++ b/sound/core/seq/seq_clientmgr.c
> @@ -2348,14 +2348,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
> {
> const struct ioctl_handler *handler;
> struct snd_seq_client *client;
> + int err;
>
> client = clientptr(clientid);
> if (client == NULL)
> return -ENXIO;
>
> for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
> - if (handler->cmd == cmd)
> - return handler->func(client, arg);
> + if (handler->cmd == cmd) {
> + mutex_lock(&client->ioctl_mutex);
> + err = handler->func(client, arg);
> + mutex_unlock(&client->ioctl_mutex);
> + return err;
> + }
> }
>
> pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
> --
> 2.20.1
>
>
>
