From 8e272cc1c88e9d32b10b6f45ef3ba2d873be4631 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 5 Sep 2022 08:07:14 +0200 Subject: [PATCH] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC commit:6534a43739b4dbf562a9af9af662e65d3af3e321 CVE:CVE-2022-3303 Signed-off-by: gaochao --------------------------------------- MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stable inclusion from stable-5.10.148 commit fce793a056c604b41a298317cf704dae255f1b36 category: bugfix issue: I5TI59 CVE: CVE-2022-3303 Signed-off-by: gaochao --------------------------------------- commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream. There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently. The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant. Reported-and-tested-by: butt3rflyh4ck Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Zubin Mithra Signed-off-by: Greg Kroah-Hartman Signed-off-by: “gc1202” <“gaochao49@huawei.com”> --- sound/core/oss/pcm_oss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c index 41abb8bd466a..29c5f572ca3b 100644 --- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1653,13 +1653,14 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) runtime = substream->runtime; if (atomic_read(&substream->mmap_count)) goto __direct; - if ((err = snd_pcm_oss_make_ready(substream)) < 0) - return err; atomic_inc(&runtime->oss.rw_ref); if (mutex_lock_interruptible(&runtime->oss.params_lock)) { atomic_dec(&runtime->oss.rw_ref); return -ERESTARTSYS; } + err = snd_pcm_oss_make_ready_locked(substream); + if (err < 0) + goto unlock; format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); if (runtime->oss.buffer_used > 0) { -- Gitee