ALSA: timer: Fix incorrectly assigned timer instance

amulya Y · webgeek1234 · commit d45d85f13b80 · 2022-04-24T10:30:16.000-05:00
The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") unified the error handling code paths with the standard goto, but it introduced a subtle bug: the timer instance is stored in snd_timer_open() incorrectly even if it returns an error. This may eventually lead to UAF, as spotted by fuzzer. The culprit is the snd_timer_open() code checks the SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri. This variable is supposed to be the newly created instance, but we (ab-)used it for a temporary check before the actual creation of a timer instance. After that point, there is another check for the max number of instances, and it bails out if over the threshold. Before the refactoring above, it worked fine because the code returned directly from that point. After the refactoring, however, it jumps to the unified error path that stores the timeri variable in return -- even if it returns an error. Unfortunately this stored value is kept in the caller side (snd_timer_user_tselect()) in tu->timeri. This causes inconsistency later, as if the timer was successfully assigned. In this patch, we fix it by not re-using timeri variable but a temporary variable for testing the exclusive connection, so timeri remains NULL at that point. Bug 2965120 Change-Id: Ieb7be2c6d7bb3ee72e781147fba865bb6f40b3ca Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") Reported-and-tested-by: Tristan Madani <tristmd@gmail.com> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-on: https://git-master.nvidia.com/r/c/linux-4.9/+/2405685 Reviewed-by: Bibek Basu <bbasu@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> GVS: Gerrit_Virtual_Submit Tested-by: Bibek Basu <bbasu@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
diff --git a/sound/core/timer.c b/sound/core/timer.c
@@ -280,9 +280,9 @@ int snd_timer_open(struct snd_timer_instance **ti,
 		return -ENODEV;
 	}
 	if (!list_empty(&timer->open_list_head)) {
-		timeri = list_entry(timer->open_list_head.next,
+		struct snd_timer_instance *t = list_entry(timer->open_list_head.next,
 				    struct snd_timer_instance, open_list);
-		if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) {
+		if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) {
 			mutex_unlock(&register_mutex);
 			return -EBUSY;
 		}

Original file line number	Diff line number	Diff line change
`@@ -280,9 +280,9 @@ int snd_timer_open(struct snd_timer_instance **ti,`
`280`	`280`	`return -ENODEV;`
`281`	`281`	`}`
`282`	`282`	`if (!list_empty(&timer->open_list_head)) {`
`283`		`- timeri = list_entry(timer->open_list_head.next,`
	`283`	`+ struct snd_timer_instance *t = list_entry(timer->open_list_head.next,`
`284`	`284`	`struct snd_timer_instance, open_list);`
`285`		`- if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) {`
	`285`	`+ if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) {`
`286`	`286`	`mutex_unlock(&register_mutex);`
`287`	`287`	`return -EBUSY;`
`288`	`288`	`}`