lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Sep 2021 17:28:57 +0200 From: Takashi Iwai <tiwai@...e.de> To: John Keeping <john@...anate.com> Cc: linux-kernel@...r.kernel.org, alsa-devel@...a-project.org, Takashi Iwai <tiwai@...e.com> Subject: Re: [PATCH] ALSA: rawmidi: Fix potential UAF from sequencer destruction On Wed, 29 Sep 2021 17:17:58 +0200, John Keeping wrote: > > On Wed, 29 Sep 2021 16:51:47 +0200 > Takashi Iwai <tiwai@...e.de> wrote: > > > On Wed, 29 Sep 2021 13:36:20 +0200, > > John Keeping wrote: > > > > > > If the sequencer device outlives the rawmidi device, then > > > snd_rawmidi_dev_seq_free() will run after release_rawmidi_device() has > > > freed the snd_rawmidi structure. > > > > > > This can easily be reproduced with CONFIG_DEBUG_KOBJECT_RELEASE. > > > > > > Keep a reference to the rawmidi device until the sequencer has been > > > destroyed in order to avoid this. > > > > > > Signed-off-by: John Keeping <john@...anate.com> > > > > Thanks for the patch. I wonder, though, how this could be triggered. > > Is this the case where the connected sequencer device is being used > > while the sound card gets released? Or is it something else? > > I'm not sure if it's possible to trigger via the ALSA API; I haven't > found a route that can trigger it, but that doesn't mean there isn't > one :-) > > Mostly this is useful to make CONFIG_DEBUG_KOBJECT_RELEASE cleaner. Hm, then could you check whether the patch below papers over it instead? thanks, Takashi --- a/sound/core/seq/seq_ports.c +++ b/sound/core/seq/seq_ports.c @@ -415,11 +415,16 @@ static int subscribe_port(struct snd_seq_client *client, grp->count--; } } - if (err >= 0 && send_ack && client->type == USER_CLIENT) + if (err < 0) + return err; + + if (send_ack && client->type == USER_CLIENT) snd_seq_client_notify_subscription(port->addr.client, port->addr.port, info, SNDRV_SEQ_EVENT_PORT_SUBSCRIBED); + else if (client->type == KERNEL_CLIENT) + get_device(&client->data.kernel.card->card_dev); - return err; + return 0; } static int unsubscribe_port(struct snd_seq_client *client, @@ -439,6 +444,8 @@ static int unsubscribe_port(struct snd_seq_client *client, snd_seq_client_notify_subscription(port->addr.client, port->addr.port, info, SNDRV_SEQ_EVENT_PORT_UNSUBSCRIBED); module_put(port->owner); + if (client->type == KERNEL_CLIENT) + snd_card_unref(client->data.kernel.card); return err; }
Powered by blists - more mailing lists