Re: KASAN: use-after-free Write in snd_rawmidi_kernel_write1

From: Greg Kroah-Hartman
Date: Thu May 07 2020 - 07:07:38 EST


On Thu, May 07, 2020 at 12:19:18PM +0200, Takashi Iwai wrote:
> On Thu, 07 May 2020 12:13:10 +0200,
> Greg Kroah-Hartman wrote:
> >
> > On Thu, May 07, 2020 at 11:56:22AM +0200, Takashi Iwai wrote:
> > > On Thu, 07 May 2020 10:23:02 +0200,
> > > Greg Kroah-Hartman wrote:
> > > >
> > > > On Thu, May 07, 2020 at 04:04:25PM +0800, butt3rflyh4ck wrote:
> > > > > I report a bug (in linux-5.7-rc1) found by syzkaller.
> > > > >
> > > > > kernel config: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/v5.7.0-rc1.config
> > > > > reproducer: https://github.com/butterflyhack/syzkaller-fuzz/blob/master/repro.cprog
> > > > >
> > > > > I test the reproducer in linux-5.7-rc4 and crash too.
> > > >
> > > > Great, care to create a fix for this and send it to the proper
> > > > maintainers? That's the best way to get it fixed, otherwise it just
> > > > goes in the file with the rest of the syzbot reports we are burried
> > > > under.
> > >
> > > Don't worry, I already prepared a fix patch below :)
> > >
> > >
> > > thanks,
> > >
> > > Takashi
> > >
> > > -- 8< --
> > > From: Takashi Iwai <tiwai@xxxxxxx>
> > > Subject: [PATCH] ALSA: rawmidi: Fix racy buffer resize under concurrent
> > > accesses
> > >
> > > The rawmidi core allows user to resize the runtime buffer via ioctl,
> > > and this may lead to UAF when performed during concurrent reads or
> > > writes.
> > >
> > > This patch fixes the race by introducing a reference counter for the
> > > runtime buffer access and returns -EBUSY error when the resize is
> > > performed concurrently.
> > >
> > > Reported-by: butt3rflyh4ck <butterflyhuangxx@xxxxxxxxx>
> > > Cc: <stable@xxxxxxxxxxxxxxx>
> > > Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@xxxxxxxxxxxxxx
> > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> > > ---
> > > include/sound/rawmidi.h | 1 +
> > > sound/core/rawmidi.c | 29 ++++++++++++++++++++++++++++-
> > > 2 files changed, 29 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
> > > index a36b7227a15a..334842daa904 100644
> > > --- a/include/sound/rawmidi.h
> > > +++ b/include/sound/rawmidi.h
> > > @@ -61,6 +61,7 @@ struct snd_rawmidi_runtime {
> > > size_t avail_min; /* min avail for wakeup */
> > > size_t avail; /* max used buffer for wakeup */
> > > size_t xruns; /* over/underruns counter */
> > > + int buffer_ref; /* buffer reference count */
> > > /* misc */
> > > spinlock_t lock;
> > > wait_queue_head_t sleep;
> > > diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
> > > index 20dd08e1f675..4185d9e81e3c 100644
> > > --- a/sound/core/rawmidi.c
> > > +++ b/sound/core/rawmidi.c
> > > @@ -120,6 +120,17 @@ static void snd_rawmidi_input_event_work(struct work_struct *work)
> > > runtime->event(runtime->substream);
> > > }
> > >
> > > +/* buffer refcount management: call with runtime->lock held */
> > > +static inline void snd_rawmidi_buffer_ref(struct snd_rawmidi_runtime *runtime)
> > > +{
> > > + runtime->buffer_ref++;
> > > +}
> > > +
> > > +static inline void snd_rawmidi_buffer_unref(struct snd_rawmidi_runtime *runtime)
> > > +{
> > > + runtime->buffer_ref--;
> > > +}
> >
> > Why not use the reference count structure?
>
> The context accessing the buffer is always with the spinlock, so we
> don't need expensive atomic ops there.
>
> Usually this kind of check can be a simple boolean flag, but in this
> case, there is one place that goes out of lock due to
> copy_from/to_user, so a refcount is used in this patch instead.

Ah, ok, thanks for the explanation.

greg k-h