ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

stable inclusion from stable-v5.10.162 commit df02234e6b87d2a9a82acd3198e44bdeff8488c6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AOWP CVE: CVE-2023-0266 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=df02234e6b87d2a9a82acd3198e44bdeff8488c6 -------------------------------- [ Note: this is a fix that works around the bug equivalently as the two upstream commits: 1fa4445f ("ALSA: control - introduce snd_ctl_notify_one() helper") 56b88b50 ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") but in a simpler way to fit with older stable trees -- tiwai ] Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be easily triggered and turned into an use-after-free. Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits (compat): snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Signed-off-by: N Clement Lecigne <clecigne@google.com> Cc: stable@kernel.org # 5.12 and older Signed-off-by: N Takashi Iwai <tiwai@suse.de> Reviewed-by: N Jaroslav Kysela <perex@perex.cz> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Hui Tang <tanghui20@huawei.com>

ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
stable inclusion from stable-v5.10.162 commit df02234e6b87d2a9a82acd3198e44bdeff8488c6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AOWP CVE: CVE-2023-0266 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=df02234e6b87d2a9a82acd3198e44bdeff8488c6 -------------------------------- [ Note: this is a fix that works around the bug equivalently as the two upstream commits: 1fa4445f ("ALSA: control - introduce snd_ctl_notify_one() helper") 56b88b50 ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") but in a simpler way to fit with older stable trees -- tiwai ] Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be easily triggered and turned into an use-after-free. Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits (compat): snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Signed-off-by: N Clement Lecigne <clecigne@google.com> Cc: stable@kernel.org # 5.12 and older Signed-off-by: N Takashi Iwai <tiwai@suse.de> Reviewed-by: N Jaroslav Kysela <perex@perex.cz> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Hui Tang <tanghui20@huawei.com>
7fae8c8b · Clement Lecigne · Zhong Jinghua · 358a5fb9 · 7fae8c8b
显示空白变更内容
内联并排

Showing with 4 addition and 0 deletion

sound/core/control_compat.c sound/core/control_compat.c +4 -0

未找到文件。
--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c
@@ -304,7 +304,9 @@ static int ctl_elem_read_user(struct snd_card *card,
 	err = snd_power_wait(card, SNDRV_CTL_POWER_D0);
 	if (err < 0)
 		goto error;
+	down_read(&card->controls_rwsem);
 	err = snd_ctl_elem_read(card, data);
+	up_read(&card->controls_rwsem);
 	if (err < 0)
 		goto error;
 	err = copy_ctl_value_to_user(userdata, valuep, data, type, count);
@@ -332,7 +334,9 @@ static int ctl_elem_write_user(struct snd_ctl_file *file,
 	err = snd_power_wait(card, SNDRV_CTL_POWER_D0);
 	if (err < 0)
 		goto error;
+	down_write(&card->controls_rwsem);
 	err = snd_ctl_elem_write(card, file, data);
+	up_write(&card->controls_rwsem);
 	if (err < 0)
 		goto error;
 	err = copy_ctl_value_to_user(userdata, valuep, data, type, count);