ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
This commit is contained in:
parent
6f43038466
commit
e30f878e1d
|
@ -111,6 +111,7 @@ linux (4.14.14-1) UNRELEASED; urgency=medium
|
|||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
|
||||
* ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* bpf: Avoid ABI change in 4.14.14
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Tue, 9 Jan 2018 23:11:03 +0100
|
||||
Subject: ALSA: seq: Make ioctls race-free
|
||||
Origin: https://git.kernel.org/linus/b3defb791b26ea0683a93a4f49c77ec45ec96f10
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000004
|
||||
|
||||
The ALSA sequencer ioctls have no protection against racy calls while
|
||||
the concurrent operations may lead to interfere with each other. As
|
||||
reported recently, for example, the concurrent calls of setting client
|
||||
pool with a combination of write calls may lead to either the
|
||||
unkillable dead-lock or UAF.
|
||||
|
||||
As a slightly big hammer solution, this patch introduces the mutex to
|
||||
make each ioctl exclusive. Although this may reduce performance via
|
||||
parallel ioctl calls, usually it's not demanded for sequencer usages,
|
||||
hence it should be negligible.
|
||||
|
||||
Reported-by: Luo Quan <a4651386@163.com>
|
||||
Reviewed-by: Kees Cook <keescook@chromium.org>
|
||||
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/seq/seq_clientmgr.c | 3 +++
|
||||
sound/core/seq/seq_clientmgr.h | 1 +
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
|
||||
index 6e22eea72654..d01913404581 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.c
|
||||
+++ b/sound/core/seq/seq_clientmgr.c
|
||||
@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
|
||||
rwlock_init(&client->ports_lock);
|
||||
mutex_init(&client->ports_mutex);
|
||||
INIT_LIST_HEAD(&client->ports_list_head);
|
||||
+ mutex_init(&client->ioctl_mutex);
|
||||
|
||||
/* find free slot in the client table */
|
||||
spin_lock_irqsave(&clients_lock, flags);
|
||||
@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd,
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
+ mutex_lock(&client->ioctl_mutex);
|
||||
err = handler->func(client, &buf);
|
||||
+ mutex_unlock(&client->ioctl_mutex);
|
||||
if (err >= 0) {
|
||||
/* Some commands includes a bug in 'dir' field. */
|
||||
if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
|
||||
diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
|
||||
index c6614254ef8a..0611e1e0ed5b 100644
|
||||
--- a/sound/core/seq/seq_clientmgr.h
|
||||
+++ b/sound/core/seq/seq_clientmgr.h
|
||||
@@ -61,6 +61,7 @@ struct snd_seq_client {
|
||||
struct list_head ports_list_head;
|
||||
rwlock_t ports_lock;
|
||||
struct mutex ports_mutex;
|
||||
+ struct mutex ioctl_mutex;
|
||||
int convert32; /* convert 32->64bit */
|
||||
|
||||
/* output pool */
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -126,6 +126,7 @@ bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
|
|||
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
|
||||
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
|
||||
bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
|
||||
bugfix/all/alsa-seq-make-ioctls-race-free.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue