ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
stable inclusion from stable-v5.10.162 commit df02234e6b87d2a9a82acd3198e44bdeff8488c6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AOWP CVE: CVE-2023-0266 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=df02234e6b87d2a9a82acd3198e44bdeff8488c6 -------------------------------- [ Note: this is a fix that works around the bug equivalently as the two upstream commits: 1fa4445f ("ALSA: control - introduce snd_ctl_notify_one() helper") 56b88b50 ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") but in a simpler way to fit with older stable trees -- tiwai ] Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be easily triggered and turned into an use-after-free. Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits (compat): snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Signed-off-by:Clement Lecigne <clecigne@google.com> Cc: stable@kernel.org # 5.12 and older Signed-off-by:
Loading
Please sign in to comment