Commit feb68902 authored by Takashi Iwai's avatar Takashi Iwai

ALSA: seq: Protect in-kernel ioctl calls with mutex

ALSA OSS sequencer calls the ioctl function indirectly via
snd_seq_kernel_client_ctl().  While we already applied the protection
against races between the normal ioctls and writes via the client's
ioctl_mutex, this code path was left untouched.  And this seems to be
the cause of still remaining some rare UAF as spontaneously triggered
by syzkaller.

For the sake of robustness, wrap the ioctl_mutex also for the call via
snd_seq_kernel_client_ctl(), too.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent f823b8a7
......@@ -2340,14 +2340,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
{
const struct ioctl_handler *handler;
struct snd_seq_client *client;
int err;
client = clientptr(clientid);
if (client == NULL)
return -ENXIO;
for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
if (handler->cmd == cmd)
return handler->func(client, arg);
if (handler->cmd == cmd) {
mutex_lock(&client->ioctl_mutex);
err = handler->func(client, arg);
mutex_unlock(&client->ioctl_mutex);
return err;
}
}
pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment