git.baikalelectronics.ru Git - kernel.git/commit

author	Clement Lecigne <clecigne@google.com>
	Fri, 13 Jan 2023 12:07:45 +0000 (13:07 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 18 Jan 2023 10:42:01 +0000 (11:42 +0100)
commit	0ecc23b5d75f897002ce5ef24cd91f3042ff6df1
tree	fff9c93ce055fa521fd1c8fef27f8c1f085c8bed	tree \| snapshot
parent	5154282af4bc2e079cdc4bfb2fc7791b5c4dbcc1	commit \| diff

ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

[ Note: this is a fix that works around the bug equivalently as the
  two upstream commits:
   07563b5a213f ("ALSA: control - introduce snd_ctl_notify_one() helper")
   56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
  but in a simpler way to fit with older stable trees -- tiwai ]

Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.

Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:

64-bits:
snd_ctl_ioctl
  snd_ctl_elem_read_user
    [takes controls_rwsem]
    snd_ctl_elem_read [lock properly held, all good]
    [drops controls_rwsem]

32-bits (compat):
snd_ctl_ioctl_compat
  snd_ctl_elem_write_read_compat
    ctl_elem_write_read
      snd_ctl_elem_read [missing lock, not good]

CVE-2023-0266 was assigned for this issue.

Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>