lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 13 Jan 2023 13:44:45 +0100
From:   Jaroslav Kysela <perex@...ex.cz>
To:     Takashi Iwai <tiwai@...e.de>, alsa-devel@...a-project.org
Cc:     linux-kernel@...r.kernel.org, Clement Lecigne <clecigne@...gle.com>
Subject: Re: [PATCH] ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to
 prevent UAF

On 13. 01. 23 13:07, Takashi Iwai wrote:
> From: Clement Lecigne <clecigne@...gle.com>
> 
> Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user
> like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce
> snd_ctl_notify_one() helper"). Doing this way we are also fixing the following
> locking issue happening in the compat path which can be easily triggered and
> turned into an use-after-free.
> 
> 64-bits:
> snd_ctl_ioctl
>    snd_ctl_elem_read_user
>      [takes controls_rwsem]
>      snd_ctl_elem_read [lock properly held, all good]
>      [drops controls_rwsem]
> 
> 32-bits:
> snd_ctl_ioctl_compat
>    snd_ctl_elem_write_read_compat
>      ctl_elem_write_read
>        snd_ctl_elem_read [missing lock, not good]
> 
> CVE-2023-0266 was assigned for this issue.
> 
> Cc: stable@...nel.org # 5.13+
> Signed-off-by: Clement Lecigne <clecigne@...gle.com>
> Signed-off-by: Takashi Iwai <tiwai@...e.de>

Reviewed-by: Jaroslav Kysela <perex@...ex.cz>

-- 
Jaroslav Kysela <perex@...ex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ