Revision - 7e1d90f - ALSA: seq: 2nd attempt at fixing race creating a queue

Revision 7e1d90f60a0d501c8503e636942ca704a454d910 authored by Daniel Mentz on 14 August 2017, 21:46:01 UTC, committed by Takashi Iwai on 15 August 2017, 06:02:35 UTC

ALSA: seq: 2nd attempt at fixing race creating a queue

commit 4842e98f26dd80be3623c4714a244ba52ea096a8 ("ALSA: seq: Fix race at
creating a queue") attempted to fix a race reported by syzkaller. That
fix has been described as follows:

"
When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it.  Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.

The fix is to reference the queue object at the right time.
"

Even with that fix in place, syzkaller reported a use-after-free error.
It specifically pointed to the last instruction "return q->queue" in
snd_seq_queue_alloc(). The pointer q is being used after kfree() has
been called on it.

It turned out that there is still a small window where a race can
happen. The window opens at
snd_seq_ioctl_create_queue()->snd_seq_queue_alloc()->queue_list_add()
and closes at
snd_seq_ioctl_create_queue()->queueptr()->snd_use_lock_use(). Between
these two calls, a different thread could delete the queue and possibly
re-create a different queue in the same location in queue_list.

This change prevents this situation by calling snd_use_lock_use() from
snd_seq_queue_alloc() prior to calling queue_list_add(). It is then the
caller's responsibility to call snd_use_lock_free(&q->use_lock).

Fixes: 4842e98f26dd ("ALSA: seq: Fix race at creating a queue")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

1 parent 8df4b00

Files
Changes

Permalinks

ver_linux

#!/usr/bin/awk -f
# Before running this script please ensure that your PATH is
# typical as you use for compilation/installation. I use
# /bin /sbin /usr/bin /usr/sbin /usr/local/bin, but it may
# differ on your system.

BEGIN {
	usage = "If some fields are empty or look unusual you may have an old version.\n"
	usage = usage "Compare to the current minimal requirements in Documentation/Changes.\n"
	print usage

	system("uname -a")
	printf("\n")

	printversion("GNU C", version("gcc -dumpversion 2>&1"))
	printversion("GNU Make", version("make --version 2>&1"))
	printversion("Binutils", version("ld -v 2>&1"))
	printversion("Util-linux", version("mount --version 2>&1"))
	printversion("Mount", version("mount --version 2>&1"))
	printversion("Module-init-tools", version("depmod -V  2>&1"))
	printversion("E2fsprogs", version("tune2fs 2>&1"))
	printversion("Jfsutils", version("fsck.jfs -V 2>&1"))
	printversion("Reiserfsprogs", version("reiserfsck -V 2>&1"))
	printversion("Reiser4fsprogs", version("fsck.reiser4 -V 2>&1"))
	printversion("Xfsprogs", version("xfs_db -V 2>&1"))
	printversion("Pcmciautils", version("pccardctl -V 2>&1"))
	printversion("Pcmcia-cs", version("cardmgr -V 2>&1"))
	printversion("Quota-tools", version("quota -V 2>&1"))
	printversion("PPP", version("pppd --version 2>&1"))
	printversion("Isdn4k-utils", version("isdnctrl 2>&1"))
	printversion("Nfs-utils", version("showmount --version 2>&1"))

	if (system("test -r /proc/self/maps") == 0) {
		while (getline <"/proc/self/maps" > 0) {
			n = split($0, procmaps, "/")
			if (/libc.*so$/ && match(procmaps[n], /[0-9]+([.]?[0-9]+)+/)) {
				ver = substr(procmaps[n], RSTART, RLENGTH)
				printversion("Linux C Library", ver)
				break
			}
		}
	}

	printversion("Dynamic linker (ldd)", version("ldd --version 2>&1"))

	while ("ldconfig -p 2>/dev/null" | getline > 0) {
		if (/(libg|stdc)[+]+\.so/) {
			libcpp = $NF
			break
		}
	}
	if (system("test -r " libcpp) == 0)
		printversion("Linux C++ Library", version("readlink " libcpp))

	printversion("Procps", version("ps --version 2>&1"))
	printversion("Net-tools", version("ifconfig --version 2>&1"))
	printversion("Kbd", version("loadkeys -V 2>&1"))
	printversion("Console-tools", version("loadkeys -V 2>&1"))
	printversion("Oprofile", version("oprofiled --version 2>&1"))
	printversion("Sh-utils", version("expr --v 2>&1"))
	printversion("Udev", version("udevadm --version 2>&1"))
	printversion("Wireless-tools", version("iwconfig --version 2>&1"))

	if (system("test -r /proc/modules") == 0) {
		while ("sort /proc/modules" | getline > 0) {
			mods = mods sep $1
			sep = " "
		}
		printversion("Modules Loaded", mods)
	}
}

function version(cmd,    ver) {
	while (cmd | getline > 0) {
		if (!/ver_linux/ && match($0, /[0-9]+([.]?[0-9]+)+/)) {
			ver = substr($0, RSTART, RLENGTH)
			break
		}
	}
	close(cmd)
	return ver
}

function printversion(name, value,  ofmt) {
	if (value != "") {
		ofmt = "%-20s\t%s\n"
		printf(ofmt, name, value)
	}
}

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...