From patchwork Fri Oct 6 17:17:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Salyzyn X-Patchwork-Id: 9991377 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B7A6660244 for ; Sat, 7 Oct 2017 16:09:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A753C23E64 for ; Sat, 7 Oct 2017 16:09:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9B4452899B; Sat, 7 Oct 2017 16:09:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C97E323E64 for ; Sat, 7 Oct 2017 16:09:22 +0000 (UTC) Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id 31392266E7D; Sat, 7 Oct 2017 18:08:42 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id ED95826766C; Fri, 6 Oct 2017 19:17:52 +0200 (CEST) Received: from mail-pf0-f173.google.com (mail-pf0-f173.google.com [209.85.192.173]) by alsa0.perex.cz (Postfix) with ESMTP id 902D5267663 for ; Fri, 6 Oct 2017 19:17:50 +0200 (CEST) Received: by mail-pf0-f173.google.com with SMTP id a1so6621858pfj.9 for ; Fri, 06 Oct 2017 10:17:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=JGHi+9XXi6J6aqJB76Hn30wxwCF/wP4rhy1R0mJnBGU=; b=pVi4LN4MDWXgc6AsXlOIoilfKdnZUF7VhKvfHbOje24EekyIdyF/clxiQLVhmblllq d84Wvn65i7HESIYclEaUc0u9Nnz/bMyA4M/YPD+UwqIOG7CUHGZtRtO4/2U/MWvXwKRe ialCHFm0LbJfk8xWKk3nThS/CE1ZsQh1zqMXTFREemfx41K40PNJohmuF4vitQUQZAsn y3MsTndSwQw6Fk93M8zLsNxR9yFAVtJZvGj/W7GAxJrDe6h8OQ6K3jmpjzJCWxOZBdDE OfrbU/wg/zo75iT73Yn9ucFbypH6Gkt3U1S1bcV+SXlKX1se6PFa6sXQ+0q5gMZNuD+e 7tjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=JGHi+9XXi6J6aqJB76Hn30wxwCF/wP4rhy1R0mJnBGU=; b=BxzKzKBg5u5A0SPRsAWbPjBxPzq0CE3TWauFKWblmVdyOn0RNV8HKBO5+yprAVgY1N j4Q3pTY2H/p0kb0F5L4pLycPEVdwV2LR0kUZCNCwrwAhWCoOPsascdDfDyhL0T58Y9Og j3/bt4SFAy6mg6eIn92KJZyPDrINEMrSvDP1cZLmWn2EwHVYL3Yzck0aTOO8n1RUmuQz 6nch8lmSuU3ZV7Kny4V5Jj0XyTZCx2FiN5i9nL68+PTTZjnT69mm3j1Myxc0RU30lHfM OAfEHwUNUBiyRDKiMQNwMOQRs80kMjM4fSL3bJINkzD8n/VMFIr4iaT/liBbdE+mNczs Zd3w== X-Gm-Message-State: AMCzsaUvm0MXagQ9gR5yXsim1/e1zA6r9RGkulTJObE6WG3GG89CF6+6 +N+xHuAN6I8O3vpYO0vRCTLfmA== X-Google-Smtp-Source: AOwi7QAe07oZbhulw7+3DmnkHREeUz/So8zXQfvrUQUy+4UJ3vG59Inr/BPE6i0rLrBsmbQsOPVkOg== X-Received: by 10.98.192.195 with SMTP id g64mr2815604pfk.95.1507310268081; Fri, 06 Oct 2017 10:17:48 -0700 (PDT) Received: from nebulus.mtv.corp.google.com ([100.98.120.17]) by smtp.gmail.com with ESMTPSA id h9sm3945814pfi.60.2017.10.06.10.17.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 Oct 2017 10:17:47 -0700 (PDT) From: Mark Salyzyn To: linux-kernel@vger.kernel.org Date: Fri, 6 Oct 2017 10:17:27 -0700 Message-Id: <20171006171731.88889-1-salyzyn@android.com> X-Mailer: git-send-email 2.14.2.920.gcf0c67979c-goog X-Mailman-Approved-At: Sat, 07 Oct 2017 18:08:37 +0200 Cc: bunk@kernel.org, alsa-devel@alsa-project.org, Takashi Iwai , Mark Salyzyn , bunk@stusta.de Subject: [alsa-devel] [PATCH v2] ALSA: seq: resize buffer for overflow X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP Can not replicate, issue discovered in fuzzing. Stack trace below. No functional or performance testing done regarding the fix. Trap at (reformatted): snd_seq_oss_readq_puts(struct seq_oss_readq *q, int dev, unsigned char *data, int len) { union evrec rec; int result; memset(&rec, 0, sizeof(rec)); rec.c[0] = SEQ_MIDIPUTC; rec.c[2] = dev; while (len-- > 0) { rec.c[1] = *data++; // data is RBX HERE 'data' pointer just passed a page boundary, so the buffer supplied was short. Caller must have been handed an ev->type equal to SNDDRV_SEQ_EVENT_SYSEX, which resulted in handing off ev->data.ext.ptr[ev->data.ext.len] buffer. Intuited that the source of the event and buffer was referenced in snd_midi_event_encode_byte() passing a larger length than the allocated buffer. BUG: unable to handle kernel paging request at ffffc900008ab000 IP: [] snd_seq_oss_readq_puts+0xd5/0x170 sound/core/seq/oss/seq_oss_readq.c:112 PGD 1da091067 PUD 1da092067 Oops: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3264 Comm: XXXXXXXX Hardware name: XXXXXXXXXX task: ffff8801cdd9e000 task.stack: ffff8801ce648000 RIP: 0010:[] [] snd_seq_oss_readq_puts+0xd5/0x170 sound/core/seq/oss/seq_oss_readq.c:112 RSP: 0018:ffff8801ce64f1c0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc900008ab000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff858e5780 RBP: ffff8801ce64f260 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 1ffff10039cc9df2 R12: 000000003fffffa4 R13: dffffc0000000000 R14: ffff8801ce64f238 R15: ffffc900008ab001 FS: 00007fe3d3d9e700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc900008ab000 CR3: 00000001d19b7000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 1ffff10039cc9e3b ffff8801ce64f1f8 ffff8801d0b9aa00 0000000041b58ab3 ffffffff841daf3c ffffffff82e2fb30 0000000000000286 0000000000000005 ffffffff838aa5d5 ffffffff861962c0 dffffc0000000000 ffff8801ce64f260 Call Trace: [] send_midi_event sound/core/seq/oss/seq_oss_midi.c:616 [inline] [] snd_seq_oss_midi_input+0x8ce/0xa70 sound/core/seq/oss/seq_oss_midi.c:535 [] snd_seq_oss_event_input+0x15d/0x220 sound/core/seq/oss/seq_oss_event.c:439 [] snd_seq_deliver_single_event.constprop.11+0x310/0x7c0 sound/core/seq/seq_clientmgr.c:621 [] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline] [] snd_seq_deliver_event+0x316/0x740 sound/core/seq/seq_clientmgr.c:807 [] snd_seq_kernel_client_dispatch+0x11e/0x150 sound/core/seq/seq_clientmgr.c:2314 [] dummy_input+0x235/0x320 sound/core/seq/seq_dummy.c:104 [] snd_seq_deliver_single_event.constprop.11+0x310/0x7c0 sound/core/seq/seq_clientmgr.c:621 [] snd_seq_deliver_event+0x12d/0x740 sound/core/seq/seq_clientmgr.c:818 [] snd_seq_dispatch_event+0x11d/0x520 sound/core/seq/seq_clientmgr.c:892 [] snd_seq_check_queue.part.3+0x38e/0x510 sound/core/seq/seq_queue.c:285 [] snd_seq_check_queue sound/core/seq/seq_queue.c:357 [inline] [] snd_seq_enqueue_event+0x32d/0x3d0 sound/core/seq/seq_queue.c:363 [] snd_seq_client_enqueue_event+0x204/0x3e0 sound/core/seq/seq_clientmgr.c:951 [] kernel_client_enqueue.part.10+0xb5/0xd0 sound/core/seq/seq_clientmgr.c:2251 [] kernel_client_enqueue sound/core/seq/seq_clientmgr.c:2241 [inline] [] snd_seq_kernel_client_enqueue_blocking+0xcf/0x110 sound/core/seq/seq_clientmgr.c:2279 [] insert_queue sound/core/seq/oss/seq_oss_rw.c:189 [inline] [] snd_seq_oss_write+0x538/0x850 sound/core/seq/oss/seq_oss_rw.c:148 [] odev_write+0x64/0x90 sound/core/seq/oss/seq_oss.c:177 [] __vfs_write+0x103/0x680 fs/read_write.c:510 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Code: 4d 9a eb 4e e8 2d aa 53 fe 4c 8d 7b 01 48 89 d8 48 89 d9 48 c1 e8 03 83 e1 07 42 0f b6 04 28 38 c8 7f 08 84 c0 0f 85 80 00 00 00 <41> 0f b6 47 ff 41 83 ec 01 48 8b b5 68 ff ff ff 48 8b bd 70 ff RIP [] snd_seq_oss_readq_puts+0xd5/0x170 sound/core/seq/oss/seq_oss_readq.c:112 RSP CR2: ffffc900008ab000 Signed-off-by: Mark Salyzyn v2: removed nested locks in snd_midi_event_resize_buffer --- sound/core/seq/seq_midi_event.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/sound/core/seq/seq_midi_event.c b/sound/core/seq/seq_midi_event.c index 90bbbdbeba03..ed3206ef0cd4 100644 --- a/sound/core/seq/seq_midi_event.c +++ b/sound/core/seq/seq_midi_event.c @@ -192,8 +192,7 @@ EXPORT_SYMBOL(snd_midi_event_no_status); /* * resize buffer */ -#if 0 -int snd_midi_event_resize_buffer(struct snd_midi_event *dev, int bufsize) +static int snd_midi_event_resize_buffer(struct snd_midi_event *dev, int bufsize) { unsigned char *new_buf, *old_buf; unsigned long flags; @@ -203,16 +202,13 @@ int snd_midi_event_resize_buffer(struct snd_midi_event *dev, int bufsize) new_buf = kmalloc(bufsize, GFP_KERNEL); if (new_buf == NULL) return -ENOMEM; - spin_lock_irqsave(&dev->lock, flags); old_buf = dev->buf; dev->buf = new_buf; dev->bufsize = bufsize; reset_encode(dev); - spin_unlock_irqrestore(&dev->lock, flags); kfree(old_buf); return 0; } -#endif /* 0 */ /* * read bytes and encode to sequencer event if finished @@ -297,6 +293,8 @@ int snd_midi_event_encode_byte(struct snd_midi_event *dev, int c, } else if (dev->type == ST_SYSEX) { if (c == MIDI_CMD_COMMON_SYSEX_END || dev->read >= dev->bufsize) { + if (dev->read > dev->bufsize) + snd_midi_event_resize_buffer(dev, dev->read); ev->flags &= ~SNDRV_SEQ_EVENT_LENGTH_MASK; ev->flags |= SNDRV_SEQ_EVENT_LENGTH_VARIABLE; ev->type = SNDRV_SEQ_EVENT_SYSEX;