[PATCH] ALSA: seq: KASAN: use-after-free Read in delete_and_unsubscribe_port

From: qiang.zhang
Date: Sat Aug 01 2020 - 02:18:14 EST

From: Zhang Qiang <qiang.zhang@xxxxxxxxxxxxx>

There is a potential race window,when a task acquire "src->list_mutex"
write sem,traverse the linked list to find "subs" objects through
parameter "info" in snd_seq_port_disconnect and then release this
write sem, before this task acquire write sem again,this write sem
may be acquired by another task, and get the same "subs" object through
the same "info" before, it could happen "use-after-free" later, so a
simple solution is to delete the object from the linked list when it
is found.

BUG: KASAN: use-after-free in list_empty include/linux/list.h:282 [inline]
BUG: KASAN: use-after-free in delete_and_unsubscribe_port+0x8b/0x450
sound/core/seq/seq_ports.c:530
Read of size 8 at addr ffff888098523060 by task syz-executor.0/7202

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1f0/0x31e lib/dump_stack.c:118
print_address_description+0x66/0x5a0 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
list_empty include/linux/list.h:282 [inline]
delete_and_unsubscribe_port+0x8b/0x450 sound/core/seq/seq_ports.c:530
snd_seq_port_disconnect+0x568/0x610 sound/core/seq/seq_ports.c:612
snd_seq_ioctl_unsubscribe_port+0x349/0x6c0 sound/core/seq/seq_clientmgr.c:1525
snd_seq_oss_midi_close+0x397/0x620 sound/core/seq/oss/seq_oss_midi.c:405
snd_seq_oss_synth_reset+0x335/0x8b0 sound/core/seq/oss/seq_oss_synth.c:406
snd_seq_oss_reset+0x5b/0x250 sound/core/seq/oss/seq_oss_init.c:435
snd_seq_oss_ioctl+0x5c2/0x1090 sound/core/seq/oss/seq_oss_ioctl.c:93
odev_ioctl+0x51/0x70 sound/core/seq/oss/seq_oss.c:174
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl fs/ioctl.c:753 [inline]
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl+0xf9/0x160 fs/ioctl.c:760
do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Allocated by task 7202:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
snd_seq_port_connect+0x66/0x460 sound/core/seq/seq_ports.c:553
snd_seq_ioctl_subscribe_port+0x349/0x6c0 sound/core/seq/seq_clientmgr.c:1484
snd_seq_oss_midi_open+0x4db/0x830 sound/core/seq/oss/seq_oss_midi.c:364
snd_seq_oss_synth_setup_midi+0x108/0x510 sound/core/seq/oss/seq_oss_synth.c:269
snd_seq_oss_open+0x899/0xe90 sound/core/seq/oss/seq_oss_init.c:261
odev_open+0x5e/0x90 sound/core/seq/oss/seq_oss.c:125
chrdev_open+0x498/0x580 fs/char_dev.c:414
do_dentry_open+0x813/0x1070 fs/open.c:828
do_open fs/namei.c:3243 [inline]
path_openat+0x278d/0x37f0 fs/namei.c:3360
do_filp_open+0x191/0x3a0 fs/namei.c:3387
do_sys_openat2+0x463/0x770 fs/open.c:1179
do_sys_open fs/open.c:1195 [inline]
__do_sys_openat fs/open.c:1209 [inline]
__se_sys_openat fs/open.c:1204 [inline]
__x64_sys_openat+0x1c8/0x1f0 fs/open.c:1204
do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 7203:
save_stack mm/kasan/common.c:48 [inline]
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x220 mm/slab.c:3757
snd_seq_port_disconnect+0x570/0x610 sound/core/seq/seq_ports.c:614
snd_seq_ioctl_unsubscribe_port+0x349/0x6c0 sound/core/seq/seq_clientmgr.c:1525
snd_seq_oss_midi_close+0x397/0x620 sound/core/seq/oss/seq_oss_midi.c:405
snd_seq_oss_synth_reset+0x335/0x8b0 sound/core/seq/oss/seq_oss_synth.c:406
snd_seq_oss_reset+0x5b/0x250 sound/core/seq/oss/seq_oss_init.c:435
snd_seq_oss_ioctl+0x5c2/0x1090 sound/core/seq/oss/seq_oss_ioctl.c:93
odev_ioctl+0x51/0x70 sound/core/seq/oss/seq_oss.c:174
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl fs/ioctl.c:753 [inline]
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl+0xf9/0x160 fs/ioctl.c:760
do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888098523000
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 96 bytes inside of
128-byte region [ffff888098523000, ffff888098523080)
The buggy address belongs to the page:
page:ffffea00026148c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002613988 ffffea000262c648 ffff8880aa400700
raw: 0000000000000000 ffff888098523000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888098522f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888098522f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888098523000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888098523080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888098523100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Reported-by: syzbot+1a54a94bd32716796edd@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Zhang Qiang <qiang.zhang@xxxxxxxxxxxxx>
---
sound/core/seq/seq_ports.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 83be6b982a87..9675d3fc146e 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -533,8 +533,7 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
grp->exclusive = 0;
write_unlock_irq(&grp->list_lock);

- if (!empty)
- unsubscribe_port(client, port, grp, &subs->info, ack);
+ unsubscribe_port(client, port, grp, &subs->info, ack);
up_write(&grp->list_mutex);
}

@@ -599,6 +598,7 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector,
list_for_each_entry(subs, &src->list_head, src_list) {
if (match_subs_info(info, &subs->info)) {
atomic_dec(&subs->ref_count); /* mark as not ready */
+ list_del_init(&subs->src_list);
err = 0;
break;
}
--
2.26.2