lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 29 Aug 2016 09:06:58 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     "Vegard Nossum" <vegard.nossum@...cle.com>
Cc:     "Jaroslav Kysela" <perex@...ex.cz>, <alsa-devel@...a-project.org>,
        "syzkaller" <syzkaller@...glegroups.com>,
        <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/3] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE

On Mon, 29 Aug 2016 00:33:50 +0200,
Vegard Nossum wrote:
> 
> I got this:
> 
>     divide error: 0000 [#1] PREEMPT SMP KASAN
>     CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
>     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
>     task: ffff8801120a9580 task.stack: ffff8801120b0000
>     RIP: 0010:[<ffffffff82c8bd9a>]  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
>     RSP: 0018:ffff88011aa87da8  EFLAGS: 00010006
>     RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
>     RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
>     RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
>     R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
>     R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
>     FS:  00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
>     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>     CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
>     Stack:
>      0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
>      ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
>      00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
>     Call Trace:
>      <IRQ>
>      [<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
>      [<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
>      [<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
>      [<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
>      [<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
>      [<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
>      [<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
>      [<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
>      [<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
>      <EOI>
>      [<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
>      [<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
>      [<ffffffff82c87015>] snd_timer_continue+0x45/0x80
>      [<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
>      [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
>      [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
>      [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
>      [<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
>      [<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
>      [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
>      [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
>      [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
>      [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
>      [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
>      [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
>      [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
>      [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
>      [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
>      [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
>      [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
>      [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
>     Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
>     RIP  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
>      RSP <ffff88011aa87da8>
>     ---[ end trace 6aa380f756a21074 ]---
> 
> The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
> completely new/unused timer -- it will have ->sticks == 0, which causes a
> divide by 0 in snd_hrtimer_callback().
> 
> Signed-off-by: Vegard Nossum <vegard.nossum@...cle.com>

Applied with Cc to stable.  Thanks.


Takashi


> ---
>  sound/core/timer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/sound/core/timer.c b/sound/core/timer.c
> index 7899e37..faa18f4 100644
> --- a/sound/core/timer.c
> +++ b/sound/core/timer.c
> @@ -813,6 +813,7 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
>  	timer->tmr_subdevice = tid->subdevice;
>  	if (id)
>  		strlcpy(timer->id, id, sizeof(timer->id));
> +	timer->sticks = 1;
>  	INIT_LIST_HEAD(&timer->device_list);
>  	INIT_LIST_HEAD(&timer->open_list_head);
>  	INIT_LIST_HEAD(&timer->active_list_head);
> -- 
> 2.10.0.rc0.1.g07c9292
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ