lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87zfag9qvd.wl-tiwai@suse.de>
Date: Sat, 27 Sep 2025 11:39:02 +0200
From: Takashi Iwai <tiwai@...e.de>
To: Jeongjun Park <aha310510@...il.com>
Cc: Takashi Iwai <tiwai@...e.de>,
	clemens@...isch.de,
	perex@...ex.cz,
	tiwai@...e.com,
	linux-sound@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

On Sat, 27 Sep 2025 10:48:02 +0200,
Jeongjun Park wrote:
> 
> Hi,
> 
> Takashi Iwai <tiwai@...e.de> wrote:
> >
> > On Sat, 27 Sep 2025 06:41:06 +0200,
> > Jeongjun Park wrote:
> > >
> > > The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> > > removal") patched a UAF issue caused by the error timer.
> > >
> > > However, because the error timer kill added in this patch occurs after the
> > > endpoint delete, a race condition to UAF still occurs, albeit rarely.
> > >
> > > Therefore, to prevent this, the error timer must be killed before freeing
> > > the heap memory.
> > >
> > > Cc: <stable@...r.kernel.org>
> > > Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> > > Signed-off-by: Jeongjun Park <aha310510@...il.com>
> >
> > I suppose it's a fix for the recent syzbot reports?
> >   https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
> >   https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
> >
> 
> Oh, I didn't know it was already reported on syzbot.
> 
> > I had the very same fix in mind, as posted in
> >   https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
> > so I'll happily apply if that's the case (and it was verified to
> > work).  I'm just back from vacation and trying to catch up things.
> >
> 
> Although it's difficult to disclose right now, I have already completed
> writing a PoC that triggers a UAF due to the error timer in a slightly
> different way than the backtrace reported to syzbot, and I have confirmed
> that no bugs occur when testing this patch through this PoC.

OK, so this sounds like a coincidence, but it's very likely the same
issue, so I'm going to put mark those syzbot reports.


thanks,

Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ