)]}' { "commit": "c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d", "tree": "f8f8f8ef8c01671898324e506a5fdce5ed6d2da1", "parents": [ "da7a8f1a8fc3e14c6dcc52b4098bddb8f20390be" ], "author": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Thu May 07 13:44:56 2020 +0200" }, "committer": { "name": "Takashi Iwai", "email": "tiwai@suse.de", "time": "Thu May 07 22:29:14 2020 +0200" }, "message": "ALSA: rawmidi: Fix racy buffer resize under concurrent accesses\n\nThe rawmidi core allows user to resize the runtime buffer via ioctl,\nand this may lead to UAF when performed during concurrent reads or\nwrites: the read/write functions unlock the runtime lock temporarily\nduring copying form/to user-space, and that\u0027s the race window.\n\nThis patch fixes the hole by introducing a reference counter for the\nruntime buffer read/write access and returns -EBUSY error when the\nresize is performed concurrently against read/write.\n\nNote that the ref count field is a simple integer instead of\nrefcount_t here, since the all contexts accessing the buffer is\nbasically protected with a spinlock, hence we need no expensive atomic\nops. Also, note that this busy check is needed only against read /\nwrite functions, and not in receive/transmit callbacks; the race can\nhappen only at the spinlock hole mentioned in the above, while the\nwhole function is protected for receive / transmit callbacks.\n\nReported-by: butt3rflyh4ck \u003cbutterflyhuangxx@gmail.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nLink: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+\u003doUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com\nLink: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de\nSigned-off-by: Takashi Iwai \u003ctiwai@suse.de\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "a36b7227a15ad5dee698a60d3c15d5fae63c04ee", "old_mode": 33188, "old_path": "include/sound/rawmidi.h", "new_id": "334842daa90459c8f4aeced7a7c0fcbd42ffdf29", "new_mode": 33188, "new_path": "include/sound/rawmidi.h" }, { "type": "modify", "old_id": "20dd08e1f675699b98695ef5e398829fa2945c0f", "old_mode": 33188, "old_path": "sound/core/rawmidi.c", "new_id": "2a688b711a9ac698ab19aeacb41f6bef747c59da", "new_mode": 33188, "new_path": "sound/core/rawmidi.c" } ] }