lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 29 Sep 2021 17:28:57 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     John Keeping <john@...anate.com>
Cc:     linux-kernel@...r.kernel.org, alsa-devel@...a-project.org,
        Takashi Iwai <tiwai@...e.com>
Subject: Re: [PATCH] ALSA: rawmidi: Fix potential UAF from sequencer destruction

On Wed, 29 Sep 2021 17:17:58 +0200,
John Keeping wrote:
> 
> On Wed, 29 Sep 2021 16:51:47 +0200
> Takashi Iwai <tiwai@...e.de> wrote:
> 
> > On Wed, 29 Sep 2021 13:36:20 +0200,
> > John Keeping wrote:
> > > 
> > > If the sequencer device outlives the rawmidi device, then
> > > snd_rawmidi_dev_seq_free() will run after release_rawmidi_device() has
> > > freed the snd_rawmidi structure.
> > > 
> > > This can easily be reproduced with CONFIG_DEBUG_KOBJECT_RELEASE.
> > > 
> > > Keep a reference to the rawmidi device until the sequencer has been
> > > destroyed in order to avoid this.
> > > 
> > > Signed-off-by: John Keeping <john@...anate.com>  
> > 
> > Thanks for the patch.  I wonder, though, how this could be triggered.
> > Is this the case where the connected sequencer device is being used
> > while the sound card gets released?  Or is it something else?
> 
> I'm not sure if it's possible to trigger via the ALSA API; I haven't
> found a route that can trigger it, but that doesn't mean there isn't
> one :-)
> 
> Mostly this is useful to make CONFIG_DEBUG_KOBJECT_RELEASE cleaner.

Hm, then could you check whether the patch below papers over it
instead?


thanks,

Takashi

--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -415,11 +415,16 @@ static int subscribe_port(struct snd_seq_client *client,
 			grp->count--;
 		}
 	}
-	if (err >= 0 && send_ack && client->type == USER_CLIENT)
+	if (err < 0)
+		return err;
+
+	if (send_ack && client->type == USER_CLIENT)
 		snd_seq_client_notify_subscription(port->addr.client, port->addr.port,
 						   info, SNDRV_SEQ_EVENT_PORT_SUBSCRIBED);
+	else if (client->type == KERNEL_CLIENT)
+		get_device(&client->data.kernel.card->card_dev);
 
-	return err;
+	return 0;
 }
 
 static int unsubscribe_port(struct snd_seq_client *client,
@@ -439,6 +444,8 @@ static int unsubscribe_port(struct snd_seq_client *client,
 		snd_seq_client_notify_subscription(port->addr.client, port->addr.port,
 						   info, SNDRV_SEQ_EVENT_PORT_UNSUBSCRIBED);
 	module_put(port->owner);
+	if (client->type == KERNEL_CLIENT)
+		snd_card_unref(client->data.kernel.card);
 	return err;
 }
 

Powered by blists - more mailing lists