| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <abe92f46-d4d7-4d9d-82b3-d8c9e7e26181@perex.cz>
Date: Fri, 13 Jan 2023 13:44:45 +0100
From: Jaroslav Kysela <perex@...ex.cz>
To: Takashi Iwai <tiwai@...e.de>, alsa-devel@...a-project.org
Cc: linux-kernel@...r.kernel.org, Clement Lecigne <clecigne@...gle.com>
Subject: Re: [PATCH] ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to
prevent UAF
On 13. 01. 23 13:07, Takashi Iwai wrote:
> From: Clement Lecigne <clecigne@...gle.com>
>
> Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user
> like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce
> snd_ctl_notify_one() helper"). Doing this way we are also fixing the following
> locking issue happening in the compat path which can be easily triggered and
> turned into an use-after-free.
>
> 64-bits:
> snd_ctl_ioctl
> snd_ctl_elem_read_user
> [takes controls_rwsem]
> snd_ctl_elem_read [lock properly held, all good]
> [drops controls_rwsem]
>
> 32-bits:
> snd_ctl_ioctl_compat
> snd_ctl_elem_write_read_compat
> ctl_elem_write_read
> snd_ctl_elem_read [missing lock, not good]
>
> CVE-2023-0266 was assigned for this issue.
>
> Cc: stable@...nel.org # 5.13+
> Signed-off-by: Clement Lecigne <clecigne@...gle.com>
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
Reviewed-by: Jaroslav Kysela <perex@...ex.cz>
--
Jaroslav Kysela <perex@...ex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
Powered by blists - more mailing lists