[for-3.18,17/24] ALSA: seq: Fix race at timer setup and close

Message ID 1494340968-17152-18-git-send-email-amit.pundir@linaro.org
State New
Headers show
Series
  • Security fixes from 2015 and 2016 android security bulletins
Related show

Commit Message

Amit Pundir May 9, 2017, 2:42 p.m.
From: Takashi Iwai <tiwai@suse.de>


commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream.

ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client.  This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.

This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

---
 sound/core/seq/seq_queue.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.7.4

Patch

diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
index a0cda38205b9..77ec21420355 100644
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -142,8 +142,10 @@  static struct snd_seq_queue *queue_new(int owner, int locked)
 static void queue_delete(struct snd_seq_queue *q)
 {
 	/* stop and release the timer */
+	mutex_lock(&q->timer_mutex);
 	snd_seq_timer_stop(q->timer);
 	snd_seq_timer_close(q);
+	mutex_unlock(&q->timer_mutex);
 	/* wait until access free */
 	snd_use_lock_sync(&q->use_lock);
 	/* release resources... */