Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp955656rwb; Fri, 13 Jan 2023 06:16:43 -0800 (PST) X-Google-Smtp-Source: AMrXdXuIyZqECSM9WfuE48Uhff9CBZZ85AS1d1nbUKB6pRIkhZ3y3igfLTYu37+aGaBI8GCgF8rh X-Received: by 2002:a17:906:36ce:b0:7c1:727c:5f70 with SMTP id b14-20020a17090636ce00b007c1727c5f70mr69379757ejc.46.1673619403628; Fri, 13 Jan 2023 06:16:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673619403; cv=none; d=google.com; s=arc-20160816; b=RUV9Jeb7Y8Ix52sVp2S+XQ//+CzT3/0oCC+LatBIMyURaLH7dg58o31S+WXP3jaFK6 dAwZM5eEyJucusmOVtoU9aJSSTQFNMg08+HPYY/yBxmaryuO97UlvjEiB9KWHpmbabDl ZWbOnkXqZKPLGgF0sTCfmsSqJ5WLVtznuQ3H6soxB8c9DeddSofycRCSTh55tIO02+6w IegKsfwPtumHb4NIs2XzUVfHug1emnlvdIVx8ZDdvQBtZ0aNqIld+QBsKnWVt0y86lWw Hgf6lz3tOYUXFaQLEaTqdp8WnatSgvpZJRIHrvZSdmNhY5RWtM34VNi0fvcjkbX91Iqm p0eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=TzCYWekeVeO9uFmb65AitJ1O7hak5JCY5nBfZC0eV1Q=; b=kMrjN9fWn0KKNfaN64yABMJtwuyvZSojX4gB8xbzMZeziLrtQLJcLqCiBlGvwKx4KE rcgV2cELLRHRprEyjp0jbFZMDkKgIKj3nMXEo1Bq6RnQHobUXY4NilOUgXbTcDtsGofs /A2FpfMS040QSSgKpg8gbE589nSJYDOOmdfeKGUSQOdw2f+0k5caaDNM/Ruz51qpU3J8 Nwd176SsDAHvCeiCy8SEaCFxg8/a4auj8BfMm10e8ifMY+J19a1JY1ETAyj6XBRKmeQ/ JLZeUYHHfAxL/Z4QCtSqAFdW1po9gk3BBVzOQ17cwsy/RSKHIcM6ucwk+a3JmHw2ZpBC JLJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perex.cz header.s=default header.b=2EgLb8RA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=perex.cz Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr19-20020a1709073f9300b0086bfaaa9eddsi313451ejc.450.2023.01.13.06.16.31; Fri, 13 Jan 2023 06:16:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@perex.cz header.s=default header.b=2EgLb8RA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=perex.cz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240996AbjAMM53 (ORCPT + 51 others); Fri, 13 Jan 2023 07:57:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241310AbjAMM4x (ORCPT ); Fri, 13 Jan 2023 07:56:53 -0500 Received: from mail1.perex.cz (mail1.perex.cz [77.48.224.245]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A2AC5FBD for ; Fri, 13 Jan 2023 04:44:53 -0800 (PST) Received: from mail1.perex.cz (localhost [127.0.0.1]) by smtp1.perex.cz (Perex's E-mail Delivery System) with ESMTP id 78CCAA0040; Fri, 13 Jan 2023 13:44:50 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.perex.cz 78CCAA0040 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perex.cz; s=default; t=1673613890; bh=TzCYWekeVeO9uFmb65AitJ1O7hak5JCY5nBfZC0eV1Q=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=2EgLb8RA/MNOulgcS+OV5eUJHrwhU9C2VKHd17CiF9fB4tkYFCq1Z5t1tj2S6fZOK tP/6usu8adIUGz/VmcFjD1ccQaNU/0a4bAKYIQaYOs+dJU7CqL9Qw7O7TcaxBiW4CW AnbN8H2RPZzlmNvF7su8SpNATtU2yJvByQzN4FBA= Received: from [192.168.100.98] (unknown [192.168.100.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: perex) by mail1.perex.cz (Perex's E-mail Delivery System) with ESMTPSA; Fri, 13 Jan 2023 13:44:46 +0100 (CET) Message-ID: Date: Fri, 13 Jan 2023 13:44:45 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH] ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF Content-Language: en-US To: Takashi Iwai , alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org, Clement Lecigne References: <20230113120745.25464-1-tiwai@suse.de> From: Jaroslav Kysela In-Reply-To: <20230113120745.25464-1-tiwai@suse.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13. 01. 23 13:07, Takashi Iwai wrote: > From: Clement Lecigne > > Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user > like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce > snd_ctl_notify_one() helper"). Doing this way we are also fixing the following > locking issue happening in the compat path which can be easily triggered and > turned into an use-after-free. > > 64-bits: > snd_ctl_ioctl > snd_ctl_elem_read_user > [takes controls_rwsem] > snd_ctl_elem_read [lock properly held, all good] > [drops controls_rwsem] > > 32-bits: > snd_ctl_ioctl_compat > snd_ctl_elem_write_read_compat > ctl_elem_write_read > snd_ctl_elem_read [missing lock, not good] > > CVE-2023-0266 was assigned for this issue. > > Cc: stable@kernel.org # 5.13+ > Signed-off-by: Clement Lecigne > Signed-off-by: Takashi Iwai Reviewed-by: Jaroslav Kysela -- Jaroslav Kysela Linux Sound Maintainer; ALSA Project; Red Hat, Inc.