forked from luck/tmp_suning_uos_patched
ALSA: seq: Fix racy access for queue timer in proc read
snd_seq_info_timer_read() reads the information of the timer assigned for each queue, but it's done in a racy way which may lead to UAF as spotted by syzkaller. This patch applies the missing q->timer_mutex lock while accessing the timer object as well as a slight code change to adapt the standard coding style. Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
parent
5d1b71226d
commit
60adcfde92
|
@ -471,15 +471,19 @@ void snd_seq_info_timer_read(struct snd_info_entry *entry,
|
|||
q = queueptr(idx);
|
||||
if (q == NULL)
|
||||
continue;
|
||||
if ((tmr = q->timer) == NULL ||
|
||||
(ti = tmr->timeri) == NULL) {
|
||||
queuefree(q);
|
||||
continue;
|
||||
}
|
||||
mutex_lock(&q->timer_mutex);
|
||||
tmr = q->timer;
|
||||
if (!tmr)
|
||||
goto unlock;
|
||||
ti = tmr->timeri;
|
||||
if (!ti)
|
||||
goto unlock;
|
||||
snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
|
||||
resolution = snd_timer_resolution(ti) * tmr->ticks;
|
||||
snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
|
||||
snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base);
|
||||
unlock:
|
||||
mutex_unlock(&q->timer_mutex);
|
||||
queuefree(q);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user