Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1063513rwb; Fri, 13 Jan 2023 07:31:14 -0800 (PST) X-Google-Smtp-Source: AMrXdXtm2niW+acdyxu8wLd3fAhE6v6jK4kOGbx+u3ZshjrVYWCpB8BtuPZGoRzRGCGdY886JxqE X-Received: by 2002:a50:eac6:0:b0:461:d042:80db with SMTP id u6-20020a50eac6000000b00461d04280dbmr70583972edp.0.1673623874713; Fri, 13 Jan 2023 07:31:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673623874; cv=none; d=google.com; s=arc-20160816; b=w0bMhmxKNrEfkbJ+uGnXXYxQCAdSIfR6MSbUQajeDJQvM4RIYJ4jqOK39364wx9j1m 61T+STR5N2nA8toWxldtCn2lHuJH+8CeZutoaVwD8PpZY8DeS8A2ObwxEqHcKFOv2Pfm I8N0/Rz+TreJZChYGpP1ODPqOlcH5jOwb9fS15Jldk2VskcX9HJw3Pb4Nvw3x/z4CTcb s/MBJ/ay2Dg/PF8oKaQB0KFCx6VTcWtmrpsBC9ob7CXvoKT7sZDErewtOcbqQ6V0ic3H wUQKDXInjbiqAjkGKXkP6n9T0o3SDYFILJZ2wZT9dpv1hLnEcDukD4iJOsGJsb8/8mJG 7Ugw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-filter; bh=MW4KMXeombVYSD+Suet8+ydrU5cpb02IsctRgeT+eMA=; b=EYDv8v9XU6SzGtN7yajKxboeugYq5nx3QbNZsfERfcOZjxdUOZHK/mGJeQ45iVvoMc 0VcReVIzHyUvNA48DFWOEFla0xHrShxCjfVlOnxmwZkFaTXrayEqTwcqQhPWV/vz8Wuq MuAXB6aVDDBRhupLxZvnJ/I8iIuLThxQnFrf0gJXp3fNV7z7L+rhWHvQWxRcYXVJl0M8 8nKyHHnbMGIt5L77NtHbsJHmy95hsq/o7SC1tqxAPXyW0Iy675O28wqwlwQbycIQV3ZH ylEwJoVIiNJA0JRESmPvtba5y/XLya0q54O2jXrneyoKA3noBp2+o0jUDxtxAlictdBn icIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@perex.cz header.s=default header.b=oxH4hwuc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=perex.cz Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hb9-20020a170907160900b008546dff75e0si13749974ejc.901.2023.01.13.07.31.02; Fri, 13 Jan 2023 07:31:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@perex.cz header.s=default header.b=oxH4hwuc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=perex.cz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229544AbjAMO6s (ORCPT + 51 others); Fri, 13 Jan 2023 09:58:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229707AbjAMO6H (ORCPT ); Fri, 13 Jan 2023 09:58:07 -0500 Received: from mail1.perex.cz (mail1.perex.cz [77.48.224.245]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28F7E97494; Fri, 13 Jan 2023 06:45:36 -0800 (PST) Received: from mail1.perex.cz (localhost [127.0.0.1]) by smtp1.perex.cz (Perex's E-mail Delivery System) with ESMTP id DFB59A003F; Fri, 13 Jan 2023 15:45:33 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.perex.cz DFB59A003F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perex.cz; s=default; t=1673621133; bh=MW4KMXeombVYSD+Suet8+ydrU5cpb02IsctRgeT+eMA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=oxH4hwuc4P4vB1QHOPlx0Symvo9vUeVn2Zed7vI37rm2lL7CL/HD369fKXjHIgMWr yVA4MViHGOVut/XK6y9GVLfPontWlCgUgyjsTk2nV3jWZcCla7HuhFsdBwkBVkLepW KfgvYm7JmculfAW4owmsjYLE2wq1KVBGY1O5zLok= Received: from [192.168.100.98] (unknown [192.168.100.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: perex) by mail1.perex.cz (Perex's E-mail Delivery System) with ESMTPSA; Fri, 13 Jan 2023 15:45:27 +0100 (CET) Message-ID: Date: Fri, 13 Jan 2023 15:45:27 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Subject: Re: [PATCH 5.10.y] ALSA: pcm: Properly take rwsem lock in ctl_elem_read_user/ctl_elem_write_user to prevent UAF Content-Language: en-US To: Takashi Iwai , Greg KH Cc: alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Clement Lecigne References: <20230113142639.4420-1-tiwai@suse.de> From: Jaroslav Kysela In-Reply-To: <20230113142639.4420-1-tiwai@suse.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13. 01. 23 15:26, Takashi Iwai wrote: > From: Clement Lecigne > > [ Note: this is a fix that works around the bug equivalently as the > two upstream commits: > 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") > 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") > but in a simpler way to fit with older stable trees -- tiwai ] > > Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be > easily triggered and turned into an use-after-free. > > Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: > > 64-bits: > snd_ctl_ioctl > snd_ctl_elem_read_user > [takes controls_rwsem] > snd_ctl_elem_read [lock properly held, all good] > [drops controls_rwsem] > > 32-bits (compat): > snd_ctl_ioctl_compat > snd_ctl_elem_write_read_compat > ctl_elem_write_read > snd_ctl_elem_read [missing lock, not good] > > CVE-2023-0266 was assigned for this issue. > > Signed-off-by: Clement Lecigne > Cc: stable@kernel.org # 5.12 and older > Signed-off-by: Takashi Iwai Reviewed-by: Jaroslav Kysela -- Jaroslav Kysela Linux Sound Maintainer; ALSA Project; Red Hat, Inc.