github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 22:14:04 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
62822bf630
linux/sound
History
Clement Lecigne 9e2b4cc230 UPSTREAM: ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 
[ Note: this is a fix that works around the bug equivalently as the
  two upstream commits:
   1fa4445f9a ("ALSA: control - introduce snd_ctl_notify_one() helper")
   56b88b5056 ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
  but in a simpler way to fit with older stable trees -- tiwai ]

Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.

Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:

64-bits:
snd_ctl_ioctl
  snd_ctl_elem_read_user
    [takes controls_rwsem]
    snd_ctl_elem_read [lock properly held, all good]
    [drops controls_rwsem]

32-bits (compat):
snd_ctl_ioctl_compat
  snd_ctl_elem_write_read_compat
    ctl_elem_write_read
      snd_ctl_elem_read [missing lock, not good]

CVE-2023-0266 was assigned for this issue.

Bug: 265303544
Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit df02234e6b87d2a9a82acd3198e44bdeff8488c7)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ibe891cdcb9eaf0dfc7bd771689c85c32b5c0d1f7
2023-01-26 11:51:51 +00:00
..
ac97
aoa ALSA: aoa: Fix I2S device accounting 2022-11-03 23:57:53 +09:00
arm
atmel
core UPSTREAM: ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 2023-01-26 11:51:51 +00:00
drivers ALSA: aloop: Fix random zeros in capture data when using jiffies timer 2022-09-15 11:32:03 +02:00
firewire
hda ALSA: hda: fix potential memleak in 'add_widget_node' 2022-11-16 09:57:15 +01:00
i2c
isa
mips
oss
parisc
pci ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 2022-11-25 17:45:49 +01:00
pcmcia
ppc
sh
soc This is the 5.10.160 stable release 2022-12-20 12:38:28 +00:00
sparc
spi
synth ALSA: Use del_timer_sync() before freeing timer 2022-11-03 23:57:48 +09:00
usb This is the 5.10.156 stable release 2022-12-02 08:42:05 +00:00
x86
xen
ac97_bus.c
Kconfig
last.c
Makefile
sound_core.c