From patchwork Fri Jan 26 16:11:23 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 866452
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3zSkRq293cz9s81;
	Sat, 27 Jan 2018 03:11:35 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ef6bD-0008LW-IO; Fri, 26 Jan 2018 16:11:31 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1ef6bB-0008KR-FV
	for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2018 16:11:29 +0000
Received: from mail-wm0-f72.google.com ([74.125.82.72])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1ef6bB-0000O7-82
	for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2018 16:11:29 +0000
Received: by mail-wm0-f72.google.com with SMTP id g187so6034243wmg.2
	for <kernel-team@lists.ubuntu.com>;
	Fri, 26 Jan 2018 08:11:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=BJe6TuLNOn5jPzqw5kxOGivS6qkp8lSWjP+2XHlz77M=;
	b=ciTzBke4QhnxeThtO0W6pCc/eU0pM4ozOollZy93FkLpQ8jz9qYbp5NhJkKQK5Q+Lw
	+CyY8yv3SAPoda5ji6+BaLvgATAlQ1fW2rmhiigb0RtY3zBhc6WRcYHxO4n1zw0M3DUd
	msqED/9mDWZajW1M8HtiLGM6AcKdYqMuaEoM78GxCYrJgAc3S7+qR4uMjktx9RBSmRza
	LkFPox8eIEGqzBv0f1V4SamrrkxY2xQE+9WCd5RB5uiYCofBP7ZAMFlhhdqu/vQ0+aNj
	FL3enq/Ly5dQXEGWvFicEkE0mWsemqclisYfyrMsHkmA/Ee4ZkPlg7/lNAoDX3SE+fow
	oLVw==
X-Gm-Message-State: AKwxytfgP97XI9W59QpeToM+0FD7qNA1R4ZnnPwG4lgUo56USlwGKOPp
	f2LDjT/eEPYtdKpMqfn1afOy271JdKbp2K3CmUI6q0MryJ/CJMW+1uTySL7aJBV5noni9OJniae
	yxiPB4aQZ6hH0uGlankcyScE1+GkN68KN5KG9BJ4Akw==
X-Received: by 10.223.164.206 with SMTP id
	h14mr12038049wrb.229.1516983088676;
	Fri, 26 Jan 2018 08:11:28 -0800 (PST)
X-Google-Smtp-Source: 
 AH8x224N5FoGPYbXWGOuoK3QLZfOpxhlY5g9Kx8Ha1gH3jOXUtqyl489L3k+nlwE/FYdsUd23vCyvA==
X-Received: by 10.223.164.206 with SMTP id
	h14mr12038041wrb.229.1516983088468;
	Fri, 26 Jan 2018 08:11:28 -0800 (PST)
Received: from localhost ([212.121.131.210])
	by smtp.gmail.com with ESMTPSA id
	f22sm4166302wmi.24.2018.01.26.08.11.27
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 26 Jan 2018 08:11:27 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][Artful][PATCH 1/1] ALSA: pcm: prevent UAF in
	snd_pcm_info
Date: Fri, 26 Jan 2018 17:11:23 +0100
Message-Id: <20180126161123.1853-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180126161123.1853-1-kleber.souza@canonical.com>
References: <20180126161123.1853-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Robb Glasser <rglasser@google.com>

When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Note: this fixes CVE-2017-0861

Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

CVE-2017-0861
(cherry picked from commit 362bca57f5d78220f8b5907b875961af9436e229)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 sound/core/pcm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index e1e9e0c999fe..5e95bc66f817 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
 				err = -ENXIO;
 				goto _error;
 			}
+			mutex_lock(&pcm->open_mutex);
 			err = snd_pcm_info_user(substream, info);
+			mutex_unlock(&pcm->open_mutex);
 		_error:
 			mutex_unlock(&register_mutex);
 			return err;