| Message ID | 20180126161123.1853-2-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2017-0861 | expand |
On 26/01/18 16:11, Kleber Sacilotto de Souza wrote: > From: Robb Glasser <rglasser@google.com> > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which > calls snd_pcm_info() which accesses the now freed `substream->runtime`. > > Note: this fixes CVE-2017-0861 > > Signed-off-by: Robb Glasser <rglasser@google.com> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2017-0861 > (cherry picked from commit 362bca57f5d78220f8b5907b875961af9436e229) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > sound/core/pcm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/sound/core/pcm.c b/sound/core/pcm.c > index e1e9e0c999fe..5e95bc66f817 100644 > --- a/sound/core/pcm.c > +++ b/sound/core/pcm.c > @@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, > err = -ENXIO; > goto _error; > } > + mutex_lock(&pcm->open_mutex); > err = snd_pcm_info_user(substream, info); > + mutex_unlock(&pcm->open_mutex); > _error: > mutex_unlock(®ister_mutex); > return err; > Clean cherry pick. Looks sane to me. Acked-by: Colin Ian King <colin.king@canonical.com>
On 2018-01-26 17:11:23 , Kleber Sacilotto de Souza wrote: > From: Robb Glasser <rglasser@google.com> > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which > calls snd_pcm_info() which accesses the now freed `substream->runtime`. > > Note: this fixes CVE-2017-0861 > > Signed-off-by: Robb Glasser <rglasser@google.com> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2017-0861 > (cherry picked from commit 362bca57f5d78220f8b5907b875961af9436e229) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > sound/core/pcm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/sound/core/pcm.c b/sound/core/pcm.c > index e1e9e0c999fe..5e95bc66f817 100644 > --- a/sound/core/pcm.c > +++ b/sound/core/pcm.c > @@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, > err = -ENXIO; > goto _error; > } > + mutex_lock(&pcm->open_mutex); > err = snd_pcm_info_user(substream, info); > + mutex_unlock(&pcm->open_mutex); > _error: > mutex_unlock(®ister_mutex); > return err; Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
On 2018-01-26 17:11:23 , Kleber Sacilotto de Souza wrote: > From: Robb Glasser <rglasser@google.com> > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which > calls snd_pcm_info() which accesses the now freed `substream->runtime`. > > Note: this fixes CVE-2017-0861 > > Signed-off-by: Robb Glasser <rglasser@google.com> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2017-0861 > (cherry picked from commit 362bca57f5d78220f8b5907b875961af9436e229) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > sound/core/pcm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/sound/core/pcm.c b/sound/core/pcm.c > index e1e9e0c999fe..5e95bc66f817 100644 > --- a/sound/core/pcm.c > +++ b/sound/core/pcm.c > @@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, > err = -ENXIO; > goto _error; > } > + mutex_lock(&pcm->open_mutex); > err = snd_pcm_info_user(substream, info); > + mutex_unlock(&pcm->open_mutex); > _error: > mutex_unlock(®ister_mutex); > return err; Added 'ACK' to the subject line. Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
On 26.01.2018 17:11, Kleber Sacilotto de Souza wrote: > From: Robb Glasser <rglasser@google.com> > > When the device descriptor is closed, the `substream->runtime` pointer > is freed. But another thread may be in the ioctl handler, case > SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which > calls snd_pcm_info() which accesses the now freed `substream->runtime`. > > Note: this fixes CVE-2017-0861 > > Signed-off-by: Robb Glasser <rglasser@google.com> > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2017-0861 > (cherry picked from commit 362bca57f5d78220f8b5907b875961af9436e229) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > sound/core/pcm.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/sound/core/pcm.c b/sound/core/pcm.c > index e1e9e0c999fe..5e95bc66f817 100644 > --- a/sound/core/pcm.c > +++ b/sound/core/pcm.c > @@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, > err = -ENXIO; > goto _error; > } > + mutex_lock(&pcm->open_mutex); > err = snd_pcm_info_user(substream, info); > + mutex_unlock(&pcm->open_mutex); > _error: > mutex_unlock(®ister_mutex); > return err; >
diff --git a/sound/core/pcm.c b/sound/core/pcm.c index e1e9e0c999fe..5e95bc66f817 100644 --- a/sound/core/pcm.c +++ b/sound/core/pcm.c @@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card, err = -ENXIO; goto _error; } + mutex_lock(&pcm->open_mutex); err = snd_pcm_info_user(substream, info); + mutex_unlock(&pcm->open_mutex); _error: mutex_unlock(®ister_mutex); return err;