From patchwork Tue Dec  5 17:16:55 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nick Desaulniers <ndesaulniers@google.com>
X-Patchwork-Id: 10095113
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E0C4460210 for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed,  6 Dec 2017 09:15:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D7C9A29654
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed,  6 Dec 2017 09:15:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CCB9F29785; Wed,  6 Dec 2017 09:15:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_NONE,
	T_DKIM_INVALID autolearn=no version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D6F6329654
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Wed,  6 Dec 2017 09:15:29 +0000 (UTC)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id BFBBB266B80;
	Wed,  6 Dec 2017 10:15:26 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 6EABB2677B7; Tue,  5 Dec 2017 18:17:22 +0100 (CET)
Received: from mail-it0-f68.google.com (mail-it0-f68.google.com
	[209.85.214.68])
	by alsa0.perex.cz (Postfix) with ESMTP id 56FB9266D61
	for <alsa-devel@alsa-project.org>;
	Tue,  5 Dec 2017 18:17:19 +0100 (CET)
Received: by mail-it0-f68.google.com with SMTP id f190so3223810ita.5
	for <alsa-devel@alsa-project.org>;
	Tue, 05 Dec 2017 09:17:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20161025; h=from:to:cc:subject:date:message-id;
	bh=WCgtIRkG0mLZnsPRc7XXtlX7k9XQb/WmB39ORBh84+o=;
	b=V/U41nCJ/c3dtbhNrhP64DGBpke1/WqjmA9ejp54UlYgXMfGcAUUJg58ljEynFMRb2
	ji2RoCqaSNSukIJyjei3vEBytH9oBuNFwh5Pt629mgCpRI39NlbO3+KBswRM2690K5sa
	i9DeDcihkoEpP6qygu1jmFagUW2jMl9CrPuzJZAKOgPq2puziFd3MwTg64ieFMd7goh3
	zSK0sgKw/ru4zi3TIQ/E9qtAYAtmqvXWpcrUrxgoFu5eii6iHxpTUo06ag0NvurlrXtR
	OwdMAUZ6a0gQYUhASqWQunMFBcmWDs3du+7TGCjBEC38utln9dCKxzlth7drmrk0zcRg
	2Wow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=WCgtIRkG0mLZnsPRc7XXtlX7k9XQb/WmB39ORBh84+o=;
	b=LAmJ/27Gsu80M59vwqWz7FeblJp8VBsvRShHLhAKRJ7n5PV1b4QxNzBwaauxJ3atsz
	orU4x42oUEhPVj4p7YY6VeKV8D+MSZxuPBsxhYUjjYwBnUTSiLLd8nYK744VDJHZxtdt
	kGTB7Txrs8YBzfiKS16x87Sa68zlF2O2Nk6FEjB/ZQUoEXf4nPfwERWhLcszTOR8AHjR
	6aOrGRLROwLGiP/iZM8yht+5pidqxurFbdonRiYDQm6ZyQVEV1ezuDGocb72kTsDNJon
	nzflc1gaYMyrXGlhShg9byWjCSYqM4kRMb3PoPhu0YUtQtt4UL+SM49DfJieVFjTU2GP
	KPhA==
X-Gm-Message-State: AJaThX4jCzsTOLxkDKrq0oFkrifxZD72FxuWvPmgOGaNX+XVXkZPu7FG
	3WtUJKpdZIj6QUPTAlfsmx41QQ==
X-Google-Smtp-Source: 
 AGs4zMbkqzamtBznVPD9WP5GSqMpLF3PoHFBlOCrCOW0yp6xyzCs2F3Ci2HSlBkzQ1xpZjU2WmxChg==
X-Received: by 10.107.131.17 with SMTP id f17mr32064458iod.100.1512494237888;
	Tue, 05 Dec 2017 09:17:17 -0800 (PST)
Received: from ndesaulniers0.svl.corp.google.com ([100.122.154.213])
	by smtp.gmail.com with ESMTPSA id
	w133sm389303itc.44.2017.12.05.09.17.14
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 05 Dec 2017 09:17:15 -0800 (PST)
From: Nick Desaulniers <ndesaulniers@google.com>
To: 
Date: Tue,  5 Dec 2017 09:16:55 -0800
Message-Id: <20171205171657.74392-1-ndesaulniers@google.com>
X-Mailer: git-send-email 2.15.0.531.g2ccb3012c9-goog
X-Mailman-Approved-At: Wed, 06 Dec 2017 10:15:25 +0100
Cc: alsa-devel@alsa-project.org, keescook@chromium.org,
	linux-kernel@vger.kernel.org,
	Nick Desaulniers <ndesaulniers@google.com>,
	Takashi Iwai <tiwai@suse.com>, Robb Glasser <rglasser@google.com>,
	Arvind Yadav <arvind.yadav.cs@gmail.com>,
	Takashi Sakamoto <o-takashi@sakamocchi.jp>,
	Markus Elfring <elfring@users.sourceforge.net>
Subject: [alsa-devel] [PATCH] ALSA: pcm: prevent UAF in snd_pcm_info
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Robb Glasser <rglasser@google.com>

When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
 sound/core/pcm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 9070f277f8db..09ee8c6b9f75 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -153,7 +153,9 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
 				err = -ENXIO;
 				goto _error;
 			}
+			mutex_lock(&pcm->open_mutex);
 			err = snd_pcm_info_user(substream, info);
+			mutex_unlock(&pcm->open_mutex);
 		_error:
 			mutex_unlock(&register_mutex);
 			return err;