leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8f22e52528
linux/sound/core
History
Takashi Iwai 8f22e52528 ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() 
The sequencer virmidi code has an open race at its output trigger
callback: namely, virmidi keeps only one event packet for processing
while it doesn't protect for concurrent output trigger calls.

snd_virmidi_output_trigger() tries to process the previously
unfinished event before starting encoding the given MIDI stream, but
this is done without any lock.  Meanwhile, if another rawmidi stream
starts the output trigger, this proceeds further, and overwrites the
event package that is being processed in another thread.  This
eventually corrupts and may lead to the invalid memory access if the
event type is like SYSEX.

The fix is just to move the spinlock to cover both the pending event
and the new stream.

The bug was spotted by a new fuzzer, RaceFuzzer.

BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-27 17:50:37 +02:00
..
oss ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation 2018-04-07 13:10:11 +02:00
seq ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() 2018-04-27 17:50:37 +02:00
compress_offload.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
control_compat.c ALSA: Get rid of card power_lock 2017-08-30 20:44:29 +02:00
control.c ALSA: control: Fix missing __user annotation 2018-04-23 16:19:52 +02:00
ctljack.c ALSA: declare snd_kcontrol_new structures as const 2017-05-30 10:29:25 +02:00
device.c ALSA: core: Use %pS printk format for direct addresses 2017-09-07 10:36:02 +02:00
hrtimer.c Merge branch 'for-next' into for-linus 2017-11-13 15:43:13 +01:00
hwdep_compat.c
hwdep.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
info_oss.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
info.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
init.c ALSA: Use scnprintf() instead of snprintf() for show 2018-02-27 09:16:52 +01:00
isadma.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
jack.c ALSA: fix kernel-doc build warning 2017-10-30 08:10:07 +01:00
Kconfig ALSA: seq: Allow the modular sequencer registration 2017-06-12 08:43:33 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
memalloc.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
memory.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
misc.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
pcm_compat.c ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY. 2018-04-23 08:41:35 +02:00
pcm_dmaengine.c ASoC: dmaengine_pcm: Add support for packed transfers 2016-04-27 17:34:11 +01:00
pcm_drm_eld.c ALSA: pcm: use helper function to refer parameter as read-only 2017-05-17 07:24:39 +02:00
pcm_iec958.c ALSA: pcm: Allow 32 bit sample format in IEC958 channel status helper 2016-04-06 14:33:38 -07:00
pcm_lib.c ALSA: pcm: Use krealloc() for resizing the rules array 2018-03-13 15:37:58 +01:00
pcm_local.h ALSA: pcm: unify codes to operate application-side position on PCM buffer 2017-06-12 08:49:22 +02:00
pcm_memory.c ALSA: pcm: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:18:58 +02:00
pcm_misc.c ALSA: pcm: add SNDRV_PCM_FORMAT_{S,U}20 2017-11-29 09:26:33 +01:00
pcm_native.c ALSA: pcm: Change return type to vm_fault_t 2018-04-25 08:15:45 +02:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: pcm: include pcm_local.h and remove some extraneous tabs 2017-05-30 18:04:47 +02:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm.c ALSA: pcm: Fix UAF at PCM release via PCM timer access 2018-04-03 08:36:40 +02:00
rawmidi_compat.c ALSA: rawmidi: Fix missing input substream checks in compat ioctls 2018-04-19 18:16:15 +02:00
rawmidi.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
seq_device.c ALSA: seq: Cancel pending autoload work at unbinding device 2017-09-12 12:41:20 +02:00
sgbuf.c ALSA: core: Deletion of unnecessary checks before two function calls 2014-11-21 20:06:57 +01:00
sound_oss.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
sound.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
timer_compat.c ALSA: timer: Remove kernel warning at compat ioctl error paths 2017-11-21 16:36:11 +01:00
timer.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
vmaster.c ALSA: vmaster: Zero-clear ctl before calling slave get 2018-03-08 08:41:13 +01:00