ALSA: seq: Fix racy access for queue timer in proc read (60adcfde) · Commits · 戴 / test

snd_seq_info_timer_read() reads the information of the timer assigned for each queue, but it's done in a racy way which may lead to UAF as spotted by syzkaller. This patch applies the missing q->timer_mutex lock while accessing the timer object as well as a slight code change to adapt the standard coding style. Reported-by:

<syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de Signed-off-by:

Takashi Iwai <tiwai@suse.de>

sound/core/seq/seq_timer.c

+9 −5

Original line number	Diff line number	Diff line
		@@ -471,15 +471,19 @@ void snd_seq_info_timer_read(struct snd_info_entry *entry,
		q = queueptr(idx);
		if (q == NULL)
		continue;
		if ((tmr = q->timer) == NULL \|\|
		(ti = tmr->timeri) == NULL) {
		queuefree(q);
		continue;
		}
		mutex_lock(&q->timer_mutex);
		tmr = q->timer;
		if (!tmr)
		goto unlock;
		ti = tmr->timeri;
		if (!ti)
		goto unlock;
		snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
		resolution = snd_timer_resolution(ti) * tmr->ticks;
		snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
		snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base);
		unlock:
		mutex_unlock(&q->timer_mutex);
		queuefree(q);
		}
		}

Admin message