| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s5hh9iiyjtn.wl-tiwai@suse.de>
Date: Tue, 12 Jan 2016 15:05:24 +0100
From: Takashi Iwai <tiwai@...e.de>
To: "Dmitry Vyukov" <dvyukov@...gle.com>
Cc: <alsa-devel@...a-project.org>, "Jie Yang" <yang.jie@...el.com>,
"Mark Brown" <broonie@...nel.org>,
"Jaroslav Kysela" <perex@...ex.cz>,
"LKML" <linux-kernel@...r.kernel.org>,
"Eric Dumazet" <edumazet@...gle.com>,
"Alexander Potapenko" <glider@...gle.com>,
"Kostya Serebryany" <kcc@...gle.com>,
"syzkaller" <syzkaller@...glegroups.com>,
"Sasha Levin" <sasha.levin@...cle.com>
Subject: Re: sound: use-after-free in snd_timer_stop
On Tue, 12 Jan 2016 11:22:09 +0100,
Dmitry Vyukov wrote:
>
> Hello,
>
> I've hit the following use-after-free while running syzkaller fuzzer.
> It is followed by a splat of other reports and finally kernel death.
> I wasn't able to reproduce it with a standalone C program (there is
> probably some global state involved). But it reproduces by replaying
> fuzzer logs in a loop (you will need Go toolchain):
>
> $ go get github.com/google/syzkaller
> $ cd $GOPATH/src/github.com/google/syzkaller
> $ make executor execprog
Just a note: I had to run "mkdir bin" beforehand.
Also for my distro, I had to remove -static.
> $ scp bin/syz-executor bin/syz-execprog your@...hine
> $ scp snd_timer_stop your@...hine # the attached file
> on test machine:
> $ ./syz-execprog -executor ./syz-executor -cover=0 -repeat=0 -procs=16
> snd_timer_stop
I tried this but couldn't reproduce the issue on my machine,
unfortunately. (Instead I hit another kernel panic regarding apparmor
:)
But looking through your log, it seems like a missing race
protection. Does the patch below work for you?
thanks,
Takashi
---
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
index 7dfd0f429410..8ea17d0a4299 100644
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
static void queue_delete(struct snd_seq_queue *q)
{
/* stop and release the timer */
+ mutex_lock(&q->timer_mutex);
snd_seq_timer_stop(q->timer);
snd_seq_timer_close(q);
+ mutex_unlock(&q->timer_mutex);
/* wait until access free */
snd_use_lock_sync(&q->use_lock);
/* release resources... */
@@ -470,7 +472,9 @@ int snd_seq_queue_timer_close(int queueid)
queue = queueptr(queueid);
if (queue == NULL)
return -EINVAL;
+ mutex_lock(&queue->timer_mutex);
snd_seq_timer_close(queue);
+ mutex_unlock(&queue->timer_mutex);
queuefree(queue);
return result;
}
Powered by blists - more mailing lists