github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e5c0fbcd2c
linux/include
History
Takashi Iwai a507658fdb ALSA: rawmidi: Fix racy buffer resize under concurrent accesses 
commit c1f6e3c818 upstream.

The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or
writes: the read/write functions unlock the runtime lock temporarily
during copying form/to user-space, and that's the race window.

This patch fixes the hole by introducing a reference counter for the
runtime buffer read/write access and returns -EBUSY error when the
resize is performed concurrently against read/write.

Note that the ref count field is a simple integer instead of
refcount_t here, since the all contexts accessing the buffer is
basically protected with a spinlock, hence we need no expensive atomic
ops.  Also, note that this busy check is needed only against read /
write functions, and not in receive/transmit callbacks; the race can
happen only at the spinlock hole mentioned in the above, while the
whole function is protected for receive / transmit callbacks.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-20 08:18:47 +02:00
..
acpi x86: ACPI: fix CPU hotplug deadlock 2020-04-23 10:30:20 +02:00
asm-generic
clocksource
crypto
drm drm/panel: make drm_panel.h self-contained 2020-01-27 14:51:01 +01:00
dt-bindings dt-bindings: reset: meson8b: fix duplicate reset IDs 2020-01-23 08:21:26 +01:00
keys KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:30:24 +02:00
kvm
linux gcc-10 warnings: fix low-hanging fruit 2020-05-20 08:18:45 +02:00
math-emu
media media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros 2020-02-24 08:34:41 +01:00
memory
misc
net netfilter: conntrack: avoid gcc-10 zero-length-bounds warning 2020-05-20 08:18:43 +02:00
pcmcia
ras
rdma RDMA/uverbs: Verify MR access flags 2020-02-14 16:33:23 -05:00
scsi scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" 2020-02-28 16:38:58 +01:00
soc
sound ALSA: rawmidi: Fix racy buffer resize under concurrent accesses 2020-05-20 08:18:47 +02:00
target scsi: target: fix hang when multiple threads try to destroy the same iscsi session 2020-04-21 09:03:11 +02:00
trace svcrdma: Fix trace point use-after-free race 2020-05-02 17:25:51 +02:00
uapi include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap 2020-05-02 17:25:48 +02:00
video
xen