| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Jan 2023 15:45:27 +0100
From: Jaroslav Kysela <perex@...ex.cz>
To: Takashi Iwai <tiwai@...e.de>, Greg KH <gregkh@...uxfoundation.org>
Cc: alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org, Clement Lecigne <clecigne@...gle.com>
Subject: Re: [PATCH 5.10.y] ALSA: pcm: Properly take rwsem lock in
ctl_elem_read_user/ctl_elem_write_user to prevent UAF
On 13. 01. 23 15:26, Takashi Iwai wrote:
> From: Clement Lecigne <clecigne@...gle.com>
>
> [ Note: this is a fix that works around the bug equivalently as the
> two upstream commits:
> 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
> 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
> but in a simpler way to fit with older stable trees -- tiwai ]
>
> Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
> easily triggered and turned into an use-after-free.
>
> Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:
>
> 64-bits:
> snd_ctl_ioctl
> snd_ctl_elem_read_user
> [takes controls_rwsem]
> snd_ctl_elem_read [lock properly held, all good]
> [drops controls_rwsem]
>
> 32-bits (compat):
> snd_ctl_ioctl_compat
> snd_ctl_elem_write_read_compat
> ctl_elem_write_read
> snd_ctl_elem_read [missing lock, not good]
>
> CVE-2023-0266 was assigned for this issue.
>
> Signed-off-by: Clement Lecigne <clecigne@...gle.com>
> Cc: stable@...nel.org # 5.12 and older
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
Reviewed-by: Jaroslav Kysela <perex@...ex.cz>
--
Jaroslav Kysela <perex@...ex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
Powered by blists - more mailing lists