linux/sound/core
Takashi Iwai ba3021b2c7 ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
it forgot to reset its indices.  Since the read may happen
concurrently with ioctl and snd_timer_user_tselect() allocates the
buffer via kmalloc(), this may lead to the leak of uninitialized
kernel-space data, as spotted via KMSAN:

  BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
  CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x143/0x1b0 lib/dump_stack.c:52
   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
   kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
   copy_to_user ./arch/x86/include/asm/uaccess.h:725
   snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
   do_loop_readv_writev fs/read_write.c:716
   __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
   do_readv_writev fs/read_write.c:894
   vfs_readv fs/read_write.c:908
   do_readv+0x52a/0x5d0 fs/read_write.c:934
   SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
   SyS_readv+0x87/0xb0 fs/read_write.c:1018

This patch adds the missing reset of queue indices.  Together with the
previous fix for the ioctl/read race, we cover the whole problem.

Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-06-07 10:25:23 +02:00
..
oss sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
seq ALSA: seq: Don't break snd_use_lock_sync() loop by timeout 2017-04-13 14:13:25 +02:00
compress_offload.c ALSA: compress: fix some missing and misplaced \n in messages 2016-09-16 19:24:13 +02:00
control_compat.c ALSA: ctl: change return value in compatibility layer so that it's the same value in core implementation 2016-03-17 14:11:36 +01:00
control.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
ctljack.c ALSA: jack: Fix endless loop at unique index detection 2015-06-26 06:59:57 +02:00
device.c Merge branch 'topic/hda-unbind' into for-next 2015-03-16 14:48:20 +01:00
hrtimer.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
hwdep_compat.c
hwdep.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
info_oss.c ALSA: core: Clean up OSS proc file management 2015-04-24 17:31:08 +02:00
info.c ALSA: info: Return error for invalid read/write 2016-11-08 14:37:26 +01:00
init.c ALSA: hda_intel: add card number to irq description 2016-01-12 21:05:16 +01:00
isadma.c
jack.c ALSA: jack: Allow building the jack layer without input device 2016-02-23 09:03:07 +01:00
Kconfig ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
Makefile ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
memalloc.c genalloc: rename of_get_named_gen_pool() to of_gen_pool_get() 2015-06-30 19:45:01 -07:00
memory.c ALSA: Include linux/uaccess.h and linux/bitopts.h instead of asm/* 2015-01-28 17:25:07 +01:00
misc.c printk/sound: handle more message headers 2016-12-12 18:55:09 -08:00
pcm_compat.c ALSA: pcm: Fix ioctls for X32 ABI 2016-02-28 17:44:35 +01:00
pcm_dmaengine.c ASoC: dmaengine_pcm: Add support for packed transfers 2016-04-27 17:34:11 +01:00
pcm_drm_eld.c ALSA: pcm: add DRM ELD helper 2015-05-22 16:01:44 +02:00
pcm_iec958.c ALSA: pcm: Allow 32 bit sample format in IEC958 channel status helper 2016-04-06 14:33:38 -07:00
pcm_lib.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
pcm_memory.c ALSA: Include linux/io.h instead of asm/io.h 2015-01-28 16:49:33 +01:00
pcm_misc.c ALSA: pcm: Add snd_pcm_rate_range_to_bits() 2016-02-05 18:49:00 +00:00
pcm_native.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
pcm_timer.c
pcm_trace.h
pcm.c ALSA: pcm: Free chmap at PCM free callback, too 2016-07-08 09:15:44 +02:00
rawmidi_compat.c ALSA: rawmidi: Fix ioctls X32 ABI 2016-02-28 17:44:51 +01:00
rawmidi.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
sgbuf.c
sound_oss.c ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
sound.c ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
timer_compat.c ALSA: timer: fix gparams ioctl compatibility for different architectures 2016-03-23 08:06:16 +01:00
timer.c ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT 2017-06-07 10:25:23 +02:00
vmaster.c