lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e0dae3a0-4176-0bc7-42e4-65cf58f265ad@perex.cz>
Date:   Fri, 13 Jan 2023 15:45:27 +0100
From:   Jaroslav Kysela <perex@...ex.cz>
To:     Takashi Iwai <tiwai@...e.de>, Greg KH <gregkh@...uxfoundation.org>
Cc:     alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org, Clement Lecigne <clecigne@...gle.com>
Subject: Re: [PATCH 5.10.y] ALSA: pcm: Properly take rwsem lock in
 ctl_elem_read_user/ctl_elem_write_user to prevent UAF

On 13. 01. 23 15:26, Takashi Iwai wrote:
> From: Clement Lecigne <clecigne@...gle.com>
> 
> [ Note: this is a fix that works around the bug equivalently as the
>    two upstream commits:
>     1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
>     56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
>    but in a simpler way to fit with older stable trees -- tiwai ]
> 
> Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
> easily triggered and turned into an use-after-free.
> 
> Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:
> 
> 64-bits:
> snd_ctl_ioctl
>    snd_ctl_elem_read_user
>      [takes controls_rwsem]
>      snd_ctl_elem_read [lock properly held, all good]
>      [drops controls_rwsem]
> 
> 32-bits (compat):
> snd_ctl_ioctl_compat
>    snd_ctl_elem_write_read_compat
>      ctl_elem_write_read
>        snd_ctl_elem_read [missing lock, not good]
> 
> CVE-2023-0266 was assigned for this issue.
> 
> Signed-off-by: Clement Lecigne <clecigne@...gle.com>
> Cc: stable@...nel.org # 5.12 and older
> Signed-off-by: Takashi Iwai <tiwai@...e.de>

Reviewed-by: Jaroslav Kysela <perex@...ex.cz>

-- 
Jaroslav Kysela <perex@...ex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ