67 lines
2.5 KiB
Diff
67 lines
2.5 KiB
Diff
|
From 993c7c14bbc4bf51025bb5c83c1c130417e0e823 Mon Sep 17 00:00:00 2001
|
||
|
From: Takashi Iwai <tiwai@suse.de>
|
||
|
Date: Wed, 21 Jun 2017 18:56:02 +0200
|
||
|
Subject: [PATCH 2/5] ALSA: timer: Fix missing queue indices reset at
|
||
|
SNDRV_TIMER_IOCTL_SELECT
|
||
|
|
||
|
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
|
||
|
it forgot to reset its indices. Since the read may happen
|
||
|
concurrently with ioctl and snd_timer_user_tselect() allocates the
|
||
|
buffer via kmalloc(), this may lead to the leak of uninitialized
|
||
|
kernel-space data, as spotted via KMSAN:
|
||
|
|
||
|
BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
|
||
|
CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
|
||
|
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
|
||
|
Call Trace:
|
||
|
__dump_stack lib/dump_stack.c:16
|
||
|
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
|
||
|
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
|
||
|
kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
|
||
|
copy_to_user ./arch/x86/include/asm/uaccess.h:725
|
||
|
snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
|
||
|
do_loop_readv_writev fs/read_write.c:716
|
||
|
__do_readv_writev+0x94c/0x1380 fs/read_write.c:864
|
||
|
do_readv_writev fs/read_write.c:894
|
||
|
vfs_readv fs/read_write.c:908
|
||
|
do_readv+0x52a/0x5d0 fs/read_write.c:934
|
||
|
SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
|
||
|
SyS_readv+0x87/0xb0 fs/read_write.c:1018
|
||
|
|
||
|
This patch adds the missing reset of queue indices. Together with the
|
||
|
previous fix for the ioctl/read race, we cover the whole problem.
|
||
|
|
||
|
Reported-by: Alexander Potapenko <glider@google.com>
|
||
|
Tested-by: Alexander Potapenko <glider@google.com>
|
||
|
Cc: <stable@vger.kernel.org>
|
||
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||
|
|
||
|
CVE-2017-1000380
|
||
|
|
||
|
(cherry-picked from commit ba3021b2c79b2fa9114f92790a99deb27a65b728)
|
||
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
||
|
Acked-by: Seth Forshee <seth.forshee@canonical.com>
|
||
|
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||
|
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||
|
|
||
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||
|
---
|
||
|
sound/core/timer.c | 1 +
|
||
|
1 file changed, 1 insertion(+)
|
||
|
|
||
|
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||
|
index 3c11a6983f54..e5ddc475dca4 100644
|
||
|
--- a/sound/core/timer.c
|
||
|
+++ b/sound/core/timer.c
|
||
|
@@ -1622,6 +1622,7 @@ static int snd_timer_user_tselect(struct file *file,
|
||
|
if (err < 0)
|
||
|
goto __err;
|
||
|
|
||
|
+ tu->qhead = tu->qtail = tu->qused = 0;
|
||
|
kfree(tu->queue);
|
||
|
tu->queue = NULL;
|
||
|
kfree(tu->tqueue);
|
||
|
--
|
||
|
2.11.0
|
||
|
|