ALSA: seq: oss: Fix races at processing SysEx messages

JIRA: https://issues.redhat.com/browse/RHEL-76110

CVE: CVE-2024-57893

commit 0179488
Author: Takashi Iwai <tiwai@suse.de>
Date: Mon Dec 30 12:05:35 2024 +0100

    ALSA: seq: oss: Fix races at processing SysEx messages

    OSS sequencer handles the SysEx messages split in 6 bytes packets, and
    ALSA sequencer OSS layer tries to combine those.  It stores the data
    in the internal buffer and this access is racy as of now, which may
    lead to the out-of-bounds access.

    As a temporary band-aid fix, introduce a mutex for serializing the
    process of the SysEx message packets.

    Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
    Closes: https://lore.kernel.org/2B7E93E4-B13A-4AE4-8E87-306A8EE9BBB7@m.fudan.edu.cn
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20241230110543.32454-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>

Author: jkysela-rh

sound/core/seq/oss/seq_oss_synth.c

@@ -66,6 +66,7 @@ static struct seq_oss_synth midi_synth_dev = {
 };
 
 static DEFINE_SPINLOCK(register_lock);
+static DEFINE_MUTEX(sysex_mutex);
 
 /*
  * prototypes
@@ -497,6 +498,7 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
 	if (!info)
 		return -ENXIO;
 
+	guard(mutex)(&sysex_mutex);
 	sysex = info->sysex;
 	if (sysex == NULL) {
 		sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);