leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3be5f884f6
linux/sound/core/seq
History
Takashi Iwai 7110599884 ALSA: seq: Fix use-after-free at creating a port 
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:

 BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
 =============================================================================
 BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
 -----------------------------------------------------------------------------
 INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
 	___slab_alloc+0x425/0x460
 	__slab_alloc+0x20/0x40
  	kmem_cache_alloc_trace+0x150/0x190
	snd_seq_create_port+0x94/0x9b0 [snd_seq]
	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
 	__slab_free+0x204/0x310
 	kfree+0x15f/0x180
 	port_delete+0x136/0x1a0 [snd_seq]
 	snd_seq_delete_port+0x235/0x350 [snd_seq]
 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 Call Trace:
  [<ffffffff81b03781>] dump_stack+0x63/0x82
  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
  [<ffffffff81536db4>] object_err+0x34/0x40
  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
  .....

We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use.  Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.

This fix covers CVE-2017-15265.

Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 09:58:18 +02:00
..
oss ALSA: seq: Allow the tristate build of OSS emulation 2017-06-09 22:09:45 +02:00
Kconfig ALSA: seq: Fix CONFIG_SND_SEQ_MIDI dependency 2017-08-11 09:51:41 +02:00
Makefile ALSA: seq: Allow the modular sequencer registration 2017-06-12 08:43:33 +02:00
seq_clientmgr.c ALSA: seq: Fix use-after-free at creating a port 2017-10-11 09:58:18 +02:00
seq_clientmgr.h ALSA: seq: Provide card number / PID via sequencer client info 2016-03-08 10:52:52 +01:00
seq_compat.c ALSA: seq: fix passing wrong pointer in function call of compatibility layer 2016-10-12 20:09:36 +02:00
seq_dummy.c ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_fifo.c sched/wait: Rename wait_queue_t => wait_queue_entry_t 2017-06-20 12:18:27 +02:00
seq_fifo.h
seq_info.c ALSA: core: Build conditionally and remove superfluous ifdefs 2015-04-24 17:31:07 +02:00
seq_info.h ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
seq_lock.c ALSA: seq: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:03 +02:00
seq_lock.h
seq_memory.c sound updates for 4.13-rc1 2017-07-06 10:56:51 -07:00
seq_memory.h ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() 2017-03-21 14:01:10 +01:00
seq_midi_emul.c ALSA: seq: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:03 +02:00
seq_midi_event.c ALSA: seq: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:03 +02:00
seq_midi.c ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_ports.c ALSA: seq: Fix use-after-free at creating a port 2017-10-11 09:58:18 +02:00
seq_ports.h ALSA: seq: remove unused callback_all field 2015-01-26 13:56:58 +01:00
seq_prioq.c ALSA: seq: Drop superfluous error/debug messages after malloc failures 2015-03-10 15:41:18 +01:00
seq_prioq.h
seq_queue.c ALSA: seq: 2nd attempt at fixing race creating a queue 2017-08-15 08:02:35 +02:00
seq_queue.h ALSA: seq: 2nd attempt at fixing race creating a queue 2017-08-15 08:02:35 +02:00
seq_system.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
seq_system.h
seq_timer.c ALSA: seq: Fix time account regression 2016-10-25 16:00:46 +02:00
seq_timer.h ALSA: seq_timer: use monotonic times internally 2016-06-17 22:56:13 +02:00
seq_virmidi.c ALSA: seq: Fix copy_from_user() call inside lock 2017-10-09 14:10:13 +02:00
seq.c ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00