From patchwork Fri Nov 23 07:28:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Khalid Elmously <khalid.elmously@canonical.com>
X-Patchwork-Id: 1002178
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 431Sc56tzWz9s8J;
	Fri, 23 Nov 2018 18:29:09 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gQ5tg-00063v-6m; Fri, 23 Nov 2018 07:29:04 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <khalid.elmously@canonical.com>)
	id 1gQ5td-000628-3a
	for kernel-team@lists.ubuntu.com; Fri, 23 Nov 2018 07:29:01 +0000
Received: from mail-qt1-f197.google.com ([209.85.160.197])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <khalid.elmously@canonical.com>)
	id 1gQ5tc-0005RV-QJ
	for kernel-team@lists.ubuntu.com; Fri, 23 Nov 2018 07:29:00 +0000
Received: by mail-qt1-f197.google.com with SMTP id w19so8138179qto.13
	for <kernel-team@lists.ubuntu.com>;
	Thu, 22 Nov 2018 23:29:00 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=EApKqowmwY/uSxluweY1Ev+MbcRruaPXHub6eqSTGn8=;
	b=A+mmrEGd2OnDuNqApe59S9rJFic7XGlxsasgJ0z+g20W9vqVq5KbV4+8DLb477/mW2
	3Y/cx7IrOWZ8R2qER+t05rfs5238PQi6Xz6j3tjDGSUSfiHxRfPu7I7FKex72r/EO6cD
	7lzVI3uJtsh9659d2tTfkX/wNUaWXOhmj13G4ABQItUumOMPuWsWHDbW0LM+AwgGy8ht
	Q2n06hHQlHMF4vVnbdT9ploNpKYiYugvGB3hS2Dy4OYjprc4/7hg9RHdAK8jOPB2Vqlf
	f+G+LzNOew9N85MOKVk5uR+szyfffL4K/EIotlafIMB+ho0s/skUecj1c8j7l53RKX3L
	FaJQ==
X-Gm-Message-State: AGRZ1gLxOkiykxpM9Dbl6IqKSU8BBMl2dDZnjEajs3YyViaAZGMNko/w
	WCz5AIVmoq3zPwEYdkUg7OHxrSDcMLsCqCiUnjzh708gRQQmT/loO09R72r/LcYrZfHSqUh6cBx
	tAsEAMoOzRvFwDCF/R8R+2MQJOZqtMnk1OCYoY186/A==
X-Received: by 2002:aed:3c7d:: with SMTP id
	u58mr13456138qte.198.1542958139139;
	Thu, 22 Nov 2018 23:28:59 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/Uacoxim2bqXqhmVSCP68e6PdzASF4GKFd78xe1gfsAWwHBYXd38xi7F2w8uig4TFegKnGmew==
X-Received: by 2002:aed:3c7d:: with SMTP id
	u58mr13456128qte.198.1542958138897;
	Thu, 22 Nov 2018 23:28:58 -0800 (PST)
Received: from kbuntu.fuzzbuzz.org (198-16-164-194.on.cable.ebox.net.
	[198.16.164.194]) by smtp.gmail.com with ESMTPSA id
	g23sm26499969qta.24.2018.11.22.23.28.57
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 22 Nov 2018 23:28:58 -0800 (PST)
From: Khalid Elmously <khalid.elmously@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][Bionic][PATCH 1/1] ALSA: rawmidi: Change resized
	buffers atomically
Date: Fri, 23 Nov 2018 02:28:35 -0500
Message-Id: <20181123072835.12004-2-khalid.elmously@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181123072835.12004-1-khalid.elmously@canonical.com>
References: <20181123072835.12004-1-khalid.elmously@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Takashi Iwai <tiwai@suse.de>

CVE-2018-10902

The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
current code is racy.  For example, the sequencer client may write to
buffer while it being resized.

As a simple workaround, let's switch to the resized buffer inside the
stream runtime lock.

Change-Id: I780f33f62670b4ad93cf92513aa4b87ff41bc63e
Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
(cherry picked from commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 sound/core/rawmidi.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index a15f63fde842..ee6e80a40774 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -627,7 +627,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card,
 int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
 			      struct snd_rawmidi_params * params)
 {
-	char *newbuf;
+	char *newbuf, *oldbuf;
 	struct snd_rawmidi_runtime *runtime = substream->runtime;
 	
 	if (substream->append && substream->use_count > 1)
@@ -640,13 +640,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
 		return -EINVAL;
 	}
 	if (params->buffer_size != runtime->buffer_size) {
-		newbuf = krealloc(runtime->buffer, params->buffer_size,
-				  GFP_KERNEL);
+		newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
 		if (!newbuf)
 			return -ENOMEM;
+		spin_lock_irq(&runtime->lock);
+		oldbuf = runtime->buffer;
 		runtime->buffer = newbuf;
 		runtime->buffer_size = params->buffer_size;
 		runtime->avail = runtime->buffer_size;
+		runtime->appl_ptr = runtime->hw_ptr = 0;
+		spin_unlock_irq(&runtime->lock);
+		kfree(oldbuf);
 	}
 	runtime->avail_min = params->avail_min;
 	substream->active_sensing = !params->no_active_sensing;
@@ -657,7 +661,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params);
 int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
 			     struct snd_rawmidi_params * params)
 {
-	char *newbuf;
+	char *newbuf, *oldbuf;
 	struct snd_rawmidi_runtime *runtime = substream->runtime;
 
 	snd_rawmidi_drain_input(substream);
@@ -668,12 +672,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
 		return -EINVAL;
 	}
 	if (params->buffer_size != runtime->buffer_size) {
-		newbuf = krealloc(runtime->buffer, params->buffer_size,
-				  GFP_KERNEL);
+		newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
 		if (!newbuf)
 			return -ENOMEM;
+		spin_lock_irq(&runtime->lock);
+		oldbuf = runtime->buffer;
 		runtime->buffer = newbuf;
 		runtime->buffer_size = params->buffer_size;
+		runtime->appl_ptr = runtime->hw_ptr = 0;
+		spin_unlock_irq(&runtime->lock);
+		kfree(oldbuf);
 	}
 	runtime->avail_min = params->avail_min;
 	return 0;