ALSA: timer: Set lower bound of start tick time

commit 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e upstream.

Fix CVE: CVE-2024-38618

Currently ALSA timer doesn't have the lower limit of the start tick
time, and it allows a very small size, e.g. 1 tick with 1ns resolution
for hrtimer.  Such a situation may lead to an unexpected RCU stall,
where  the callback repeatedly queuing the expire update, as reported
by fuzzer.

This patch introduces a sanity check of the timer start tick time, so
that the system returns an error when a too small start size is set.
As of this patch, the lower limit is hard-coded to 100us, which is
small enough but can still work somehow.

Reported-by: syzbot+43120c2af6ca2938cc38@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/000000000000fa00a1061740ab6d@google.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20240514182745.4015-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ backport note: the error handling is changed, as the original commit
  is based on the recent cleanup with guard() in commit beb45974dd49
  -- tiwai ]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
This commit is contained in:
Takashi Iwai 2024-05-14 20:27:36 +02:00 committed by Jianping Liu
parent 91ccae1327
commit efc81f7f2d
1 changed files with 10 additions and 0 deletions

View File

@ -524,6 +524,16 @@ static int snd_timer_start1(struct snd_timer_instance *timeri,
goto unlock;
}
/* check the actual time for the start tick;
* bail out as error if it's way too low (< 100us)
*/
if (start) {
if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) {
result = -EINVAL;
goto unlock;
}
}
if (start)
timeri->ticks = timeri->cticks = ticks;
else if (!timeri->cticks)