Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1006218rwb; Fri, 13 Jan 2023 06:53:19 -0800 (PST) X-Google-Smtp-Source: AMrXdXtJUUKrPTHrOgVLFgWr7b3JvIEe9NZhBm/hB6r56IqT99UspVQWjdwXMVhylKqNqz/hXEDC X-Received: by 2002:a17:902:db08:b0:194:5d2d:3c31 with SMTP id m8-20020a170902db0800b001945d2d3c31mr9517350plx.11.1673621599376; Fri, 13 Jan 2023 06:53:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673621599; cv=none; d=google.com; s=arc-20160816; b=TVCI1FiLX++0x5gIbz/su58RCSlogJJAeS/mGxOca7xwMa3efN4EoG98dIxiItRlvZ tY/upC07n8fM+IPAnhzFLyhwTCrMEEMYehdZBDxIhKj09GSjWTpm2y//QXEPgSumgixb ri5o7GvaPt3S/yWaxT8URzIR17ZETahiz6MVxEstZLNUQD4S27am78WDfwLz6H9U3GRB Ot5QJU1IGOI3m3lvbmIX00e6uNAE8G0vFG/pEh9HSvvJ6KxN3KuNjb1atMQcPPeRL5Sr IGVsAIa2pfd07rhPMrcA7I8cDsgUib4N19gI4mLbifAQ25gmCUUZtdW+3tGPVmof7Ywf ghtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=ZlT0bW1RT1S/RjUud1OHBkBdTWci8dCpwsYwHEA60CU=; b=iBMOJ/mZPVceOC6mzYF82NuuWNDyTB4N2bWhEEn7uH9hDBESiHk0hLEjn/5HfjOGM9 6j4Q/+6ziaoNpzchI6o12t5aP8bSs29AcomfR4l17NqP6a32wcdx7ckn9VZ9dXaUZXmw BxX5QXfjtGstJFL+eYXCwhtwnhholTJpV03XA5najig4LJVRbvGyzYMZs/KTBQAo65Ib DmIBbk3iop9X8603ulCkSN1TYCk2jzaJiSqA/zlNYZ7oFcQt/EvFD/8CiH3gYYpAacq8 BKHBJZYnpNVliTowEiZHVEBxKvNBc9QFKLpzmoB61cWGzVlPiX181XA+bxA7D4edaITB SRgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Jtmx8qSh; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c14-20020a170903234e00b00176d22a068csi22479346plh.515.2023.01.13.06.53.12; Fri, 13 Jan 2023 06:53:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Jtmx8qSh; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229862AbjAMOdY (ORCPT + 53 others); Fri, 13 Jan 2023 09:33:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229692AbjAMOcj (ORCPT ); Fri, 13 Jan 2023 09:32:39 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8416AEE20; Fri, 13 Jan 2023 06:26:47 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id AEE356077A; Fri, 13 Jan 2023 14:26:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1673620005; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=ZlT0bW1RT1S/RjUud1OHBkBdTWci8dCpwsYwHEA60CU=; b=Jtmx8qSh10mse1aghzGf5O2OJpk2ANrzQQJ5UjROd+nkGRzzkpW181UYRfbFuNUdiZx/AR mP9smr3XuGiJPpkaCClRrUHpB5OLjkNkOmrbVeOKK3dxAkgSQRja2ayHRV2XxI7ks2di8b 3SXt2oNX2EI1jeRd4c+CBnjsuRMGNGg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1673620005; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=ZlT0bW1RT1S/RjUud1OHBkBdTWci8dCpwsYwHEA60CU=; b=1XFKdmKo9XRjBZi/aLaSro2SdtveCWAwmQm5jYelTynOhKUoWeko+Nsx4AREXPY9iHKZt0 LaJJafmXd/Vr/FDQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 84F701358A; Fri, 13 Jan 2023 14:26:45 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id DeG5HyVqwWOTGAAAMHmgww (envelope-from ); Fri, 13 Jan 2023 14:26:45 +0000 From: Takashi Iwai To: Greg KH Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org, Clement Lecigne Subject: [PATCH 5.10.y] ALSA: pcm: Properly take rwsem lock in ctl_elem_read_user/ctl_elem_write_user to prevent UAF Date: Fri, 13 Jan 2023 15:26:39 +0100 Message-Id: <20230113142639.4420-1-tiwai@suse.de> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Clement Lecigne [ Note: this is a fix that works around the bug equivalently as the two upstream commits: 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") but in a simpler way to fit with older stable trees -- tiwai ] Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be easily triggered and turned into an use-after-free. Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits (compat): snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Signed-off-by: Clement Lecigne Cc: stable@kernel.org # 5.12 and older Signed-off-by: Takashi Iwai --- Greg, this is a patch for the last ALSA PCM UCM fix for the older stable trees. Please take this to 5.10.y and older stable trees. Thanks! sound/core/control_compat.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c index 97467f6a32a1..980ab3580f1b 100644 --- a/sound/core/control_compat.c +++ b/sound/core/control_compat.c @@ -304,7 +304,9 @@ static int ctl_elem_read_user(struct snd_card *card, err = snd_power_wait(card, SNDRV_CTL_POWER_D0); if (err < 0) goto error; + down_read(&card->controls_rwsem); err = snd_ctl_elem_read(card, data); + up_read(&card->controls_rwsem); if (err < 0) goto error; err = copy_ctl_value_to_user(userdata, valuep, data, type, count); @@ -332,7 +334,9 @@ static int ctl_elem_write_user(struct snd_ctl_file *file, err = snd_power_wait(card, SNDRV_CTL_POWER_D0); if (err < 0) goto error; + down_write(&card->controls_rwsem); err = snd_ctl_elem_write(card, file, data); + up_write(&card->controls_rwsem); if (err < 0) goto error; err = copy_ctl_value_to_user(userdata, valuep, data, type, count); -- 2.35.3