| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <s5hh81z9iob.wl-tiwai@suse.de>
Date: Tue, 17 Dec 2019 14:37:56 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Jia-Ju Bai <baijiaju1990@...il.com>
Cc: perex@...ex.cz, tiwai@...e.com, rfontana@...hat.com,
gregkh@...uxfoundation.org, allison@...utok.net,
tglx@...utronix.de, alsa-devel@...a-project.org,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [BUG] ALSA: seq: a possible sleep-in-atomic-context bug in snd_virmidi_dev_receive_event()
On Tue, 17 Dec 2019 14:24:21 +0100,
Jia-Ju Bai wrote:
>
> The driver may sleep while holding a read lock.
> The function call path (from bottom to top) in Linux 4.19 is:
>
> sound/core/seq/seq_memory.c, 96:
> copy_from_user in snd_seq_dump_var_event
> sound/core/seq/seq_virmidi.c, 97:
> snd_seq_dump_var_event in snd_virmidi_dev_receive_event
> sound/core/seq/seq_virmidi.c, 88:
> _raw_read_lock in snd_virmidi_dev_receive_event
This can't happen. snd_virmidi_dev_receive_event() takes
conditionally either read_lock or rw_sem depending on the atomic
argument. And the data including user-space pointer is handled always
with atomic=1, hence down_read() is used instead of read_lock() here.
thanks,
Takashi
> copy_from_user() can sleep at runtime.
>
> I am not sure how to properly fix this possible bug, so I only report it.
>
> This bug is found by a static analysis tool STCheck written by myself.
>
>
> Best wishes,
> Jia-Ju Bai
>
Powered by blists - more mailing lists