CVE-2024-26654
Duoming Zhou (1): ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
Takashi Iwai (1): ALSA: aica: Fix a long-time build breakage
sound/sh/aica.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-)
From: Takashi Iwai tiwai@suse.de
mainline inclusion from mainline-v5.2-rc1 commit 534420c6ff87d3052540f1fd346e0adcff440819 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9DD86 CVE: CVE-2024-26654
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
The build of aica sound driver has been broken since the timer API conversion and some code rewrite. This patch fixes the breakage by using the common substream field, as well as a bit cleaning up wrt the timer handling in the code.
Fixes: d522bb6a105f ("ALSA: sh: aica: Convert timers to use timer_setup()") Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: liwei liwei728@huawei.com --- sound/sh/aica.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/sound/sh/aica.c b/sound/sh/aica.c index 2b26311405a4..ad3f71358486 100644 --- a/sound/sh/aica.c +++ b/sound/sh/aica.c @@ -303,7 +303,7 @@ static void aica_period_elapsed(struct timer_list *t) { struct snd_card_aica *dreamcastcard = from_timer(dreamcastcard, t, timer); - struct snd_pcm_substream *substream = dreamcastcard->timer_substream; + struct snd_pcm_substream *substream = dreamcastcard->substream; /*timer function - so cannot sleep */ int play_period; struct snd_pcm_runtime *runtime; @@ -335,13 +335,6 @@ static void spu_begin_dma(struct snd_pcm_substream *substream) dreamcastcard = substream->pcm->private_data; /*get the queue to do the work */ schedule_work(&(dreamcastcard->spu_dma_work)); - /* Timer may already be running */ - if (unlikely(dreamcastcard->timer_substream)) { - mod_timer(&dreamcastcard->timer, jiffies + 4); - return; - } - timer_setup(&dreamcastcard->timer, aica_period_elapsed, 0); - dreamcastcard->timer_substream = substream; mod_timer(&dreamcastcard->timer, jiffies + 4); }
@@ -379,8 +372,8 @@ static int snd_aicapcm_pcm_close(struct snd_pcm_substream { struct snd_card_aica *dreamcastcard = substream->pcm->private_data; flush_work(&(dreamcastcard->spu_dma_work)); - if (dreamcastcard->timer_substream) - del_timer(&dreamcastcard->timer); + del_timer(&dreamcastcard->timer); + dreamcastcard->substream = NULL; kfree(dreamcastcard->channel); spu_disable(); return 0; @@ -615,6 +608,7 @@ static int snd_aica_probe(struct platform_device *devptr) "Yamaha AICA Super Intelligent Sound Processor for SEGA Dreamcast"); /* Prepare to use the queue */ INIT_WORK(&(dreamcastcard->spu_dma_work), run_spu_dma); + timer_setup(&dreamcastcard->timer, aica_period_elapsed, 0); /* Load the PCM 'chip' */ err = snd_aicapcmchip(dreamcastcard, 0); if (unlikely(err < 0))
From: Duoming Zhou duoming@zju.edu.cn
mainline inclusion from mainline-v6.9-rc2 commit 051e0840ffa8ab25554d6b14b62c9ab9e4901457 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9DD86 CVE: CVE-2024-26654
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
The dreamcastcard->timer could schedule the spu_dma_work and the spu_dma_work could also arm the dreamcastcard->timer.
When the snd_pcm_substream is closing, the aica_channel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that del_timer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below:
(Thread 1) | (Thread 2) snd_aicapcm_pcm_close() | ... | run_spu_dma() //worker | mod_timer() flush_work() | del_timer() | aica_period_elapsed() //timer kfree(dreamcastcard->channel) | schedule_work() | run_spu_dma() //worker ... | dreamcastcard->channel-> //USE
In order to mitigate this bug and other possible corner cases, call mod_timer() conditionally in run_spu_dma(), then implement PCM sync_stop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.
Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device") Suggested-by: Takashi Iwai tiwai@suse.de Signed-off-by: Duoming Zhou duoming@zju.edu.cn Message-ID: 20240326094238.95442-1-duoming@zju.edu.cn Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: liwei liwei728@huawei.com --- sound/sh/aica.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/sound/sh/aica.c b/sound/sh/aica.c index ad3f71358486..8274da2d6b20 100644 --- a/sound/sh/aica.c +++ b/sound/sh/aica.c @@ -295,7 +295,8 @@ static void run_spu_dma(struct work_struct *work) dreamcastcard->clicks++; if (unlikely(dreamcastcard->clicks >= AICA_PERIOD_NUMBER)) dreamcastcard->clicks %= AICA_PERIOD_NUMBER; - mod_timer(&dreamcastcard->timer, jiffies + 1); + if (snd_pcm_running(dreamcastcard->substream)) + mod_timer(&dreamcastcard->timer, jiffies + 1); } }
@@ -307,6 +308,8 @@ static void aica_period_elapsed(struct timer_list *t) /*timer function - so cannot sleep */ int play_period; struct snd_pcm_runtime *runtime; + if (!snd_pcm_running(substream)) + return; runtime = substream->runtime; dreamcastcard = substream->pcm->private_data; /* Have we played out an additional period? */ @@ -367,12 +370,19 @@ static int snd_aicapcm_pcm_open(struct snd_pcm_substream return 0; }
+static int snd_aicapcm_pcm_sync_stop(struct snd_pcm_substream *substream) +{ + struct snd_card_aica *dreamcastcard = substream->pcm->private_data; + + del_timer_sync(&dreamcastcard->timer); + cancel_work_sync(&dreamcastcard->spu_dma_work); + return 0; +} + static int snd_aicapcm_pcm_close(struct snd_pcm_substream *substream) { struct snd_card_aica *dreamcastcard = substream->pcm->private_data; - flush_work(&(dreamcastcard->spu_dma_work)); - del_timer(&dreamcastcard->timer); dreamcastcard->substream = NULL; kfree(dreamcastcard->channel); spu_disable(); @@ -438,6 +448,7 @@ static const struct snd_pcm_ops snd_aicapcm_playback_ops = { .prepare = snd_aicapcm_pcm_prepare, .trigger = snd_aicapcm_pcm_trigger, .pointer = snd_aicapcm_pcm_pointer, + .sync_stop = snd_aicapcm_pcm_sync_stop, };
/* TO DO: set up to handle more than one pcm instance */
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/5718 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/A...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/5718 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/A...
-
liwei -
patchwork bot