linux/sound/core/seq
Takashi Iwai 83e197a841 ALSA: seq: Fix race of snd_seq_timer_open()
The timer instance per queue is exclusive, and snd_seq_timer_open()
should have managed the concurrent accesses.  It looks as if it's
checking the already existing timer instance at the beginning, but
it's not right, because there is no protection, hence any later
concurrent call of snd_seq_timer_open() may override the timer
instance easily.  This may result in UAF, as the leftover timer
instance can keep running while the queue itself gets closed, as
spotted by syzkaller recently.

For avoiding the race, add a proper check at the assignment of
tmr->timeri again, and return -EBUSY if it's been already registered.

Reported-by: syzbot+ddc1260a83ed1cbf6fb5@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000dce34f05c42f110c@google.com
Link: https://lore.kernel.org/r/20210610152059.24633-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2021-06-10 17:21:30 +02:00
..
oss Merge branch 'for-linus' into for-next 2021-01-18 17:39:23 +01:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seq_clientmgr.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
seq_clientmgr.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_compat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_dummy.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_fifo.c ALSA: seq: Fix potential concurrent access to the deleted pool 2019-08-25 09:31:10 +02:00
seq_fifo.h ALSA: seq: Fix potential concurrent access to the deleted pool 2019-08-25 09:31:10 +02:00
seq_info.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_info.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_lock.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_lock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seq_memory.c ALSA: core: Use DIV_ROUND_UP() instead of open-coding it 2020-12-25 09:11:46 +01:00
seq_memory.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_midi_emul.c ALSA: Use fallthrough pseudo-keyword 2020-07-09 13:01:29 +02:00
seq_midi_event.c ALSA: seq: More constifications 2020-01-05 16:14:29 +01:00
seq_midi.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_ports.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
seq_ports.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_prioq.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_prioq.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_queue.c ALSA: seq: remove useless function 2020-11-04 09:12:00 +01:00
seq_queue.h ALSA: seq: Use bool for snd_seq_queue internal flags 2020-12-06 09:35:53 +01:00
seq_system.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_system.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
seq_timer.c ALSA: seq: Fix race of snd_seq_timer_open() 2021-06-10 17:21:30 +02:00
seq_timer.h ALSA: seq: Fix concurrent access to queue current tick/time 2020-02-14 15:53:09 +01:00
seq_virmidi.c ALSA: seq: virmidi: Fix running status after receiving sysex 2020-03-16 10:06:22 +01:00
seq.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00