ALSA: pcm: Fix races among concurrent prealloc proc writes

stable inclusion from linux-4.19.243 commit e14dca613e0a6ddc2bf6e360f16936a9f865205b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I50WAS CVE: CVE-2022-1048 -------------------------------- commit 69534c48 upstream. We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). Cc: <stable@vger.kernel.org> Reviewed-by: N Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.deSigned-off-by: N Takashi Iwai <tiwai@suse.de> [OP: backport to 4.19: adjusted context] Signed-off-by: N Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Rui Xiang <rui.xiang@huawei.com> Reviewed-by: N zhangxiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

ALSA: pcm: Fix races among concurrent prealloc proc writes
stable inclusion from linux-4.19.243 commit e14dca613e0a6ddc2bf6e360f16936a9f865205b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I50WAS CVE: CVE-2022-1048 -------------------------------- commit 69534c48 upstream. We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). Cc: <stable@vger.kernel.org> Reviewed-by: N Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.deSigned-off-by: N Takashi Iwai <tiwai@suse.de> [OP: backport to 4.19: adjusted context] Signed-off-by: N Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Rui Xiang <rui.xiang@huawei.com> Reviewed-by: N zhangxiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
e91fee6f · Takashi Iwai · Yongqiang Liu · 2c34260b · e91fee6f
显示空白变更内容
内联并排

Showing with 7 addition and 4 deletion

sound/core/pcm_memory.c sound/core/pcm_memory.c +7 -4

未找到文件。
--- a/sound/core/pcm_memory.c
+++ b/sound/core/pcm_memory.c
@@ -160,19 +160,20 @@ static void snd_pcm_lib_preallocate_proc_write(struct snd_info_entry *entry,
 	size_t size;
 	struct snd_dma_buffer new_dmab;
+	mutex_lock(&substream->pcm->open_mutex);
 	if (substream->runtime) {
 		buffer->error = -EBUSY;
-		return;
+		goto unlock;
 	}
 	if (!snd_info_get_line(buffer, line, sizeof(line))) {
 		snd_info_get_str(str, line, sizeof(str));
 		size = simple_strtoul(str, NULL, 10) * 1024;
 		if ((size != 0 && size < 8192) || size > substream->dma_max) {
 			buffer->error = -EINVAL;
-			return;
+			goto unlock;
 		}
 		if (substream->dma_buffer.bytes == size)
-			return;
+			goto unlock;
 		memset(&new_dmab, 0, sizeof(new_dmab));
 		new_dmab.dev = substream->dma_buffer.dev;
 		if (size > 0) {
@@ -180,7 +181,7 @@ static void snd_pcm_lib_preallocate_proc_write(struct snd_info_entry *entry,
 						substream->dma_buffer.dev.dev,
 						size, &new_dmab) < 0) {
 				buffer->error = -ENOMEM;
-				return;
+				goto unlock;
 			}
 			substream->buffer_bytes_max = size;
 		} else {
@@ -192,6 +193,8 @@ static void snd_pcm_lib_preallocate_proc_write(struct snd_info_entry *entry,
 	} else {
 		buffer->error = -EINVAL;
 	}
+ unlock:
+	mutex_unlock(&substream->pcm->open_mutex);
 }
 static inline void preallocate_info_init(struct snd_pcm_substream *substream)