diff options
| author | Clement Lecigne <clecigne@google.com> | 2023-01-13 13:07:45 +0100 |
|---|---|---|
| committer | Michael Bestas <mkbestas@lineageos.org> | 2023-05-02 21:08:13 +0300 |
| commit | e9af212f968520b3c1e0f79dd12865a68acde2c3 (patch) | |
| tree | 5cc13ba86ef7fc0f9781dbe762ada7be89b7481b /scripts/mod/empty.c | |
| parent | 95fc4fff573f91177290e2e07022f531c6524029 (diff) | |
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
[ Note: this is a fix that works around the bug equivalently as the
two upstream commits:
1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
but in a simpler way to fit with older stable trees -- tiwai ]
Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.
Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:
64-bits:
snd_ctl_ioctl
snd_ctl_elem_read_user
[takes controls_rwsem]
snd_ctl_elem_read [lock properly held, all good]
[drops controls_rwsem]
32-bits (compat):
snd_ctl_ioctl_compat
snd_ctl_elem_write_read_compat
ctl_elem_write_read
snd_ctl_elem_read [missing lock, not good]
CVE-2023-0266 was assigned for this issue.
Bug: 265303544
Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@vger.kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I09e6834ccdacb1e35b4dfa20d94e82a0e4afac7e
Diffstat (limited to 'scripts/mod/empty.c')
0 files changed, 0 insertions, 0 deletions