qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/sound/core
History
Clement Lecigne 45618e2819 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 
BugLink: https://bugs.launchpad.net/bugs/2003914

[ Note: this is a fix that works around the bug equivalently as the
  two upstream commits:
   1fa4445f9a ("ALSA: control - introduce snd_ctl_notify_one() helper")
   56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
  but in a simpler way to fit with older stable trees -- tiwai ]

Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.

Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:

64-bits:
snd_ctl_ioctl
  snd_ctl_elem_read_user
    [takes controls_rwsem]
    snd_ctl_elem_read [lock properly held, all good]
    [drops controls_rwsem]

32-bits (compat):
snd_ctl_ioctl_compat
  snd_ctl_elem_write_read_compat
    ctl_elem_write_read
      snd_ctl_elem_read [missing lock, not good]

CVE-2023-0266 was assigned for this issue.

Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2023-02-01 15:23:45 +01:00
..
oss ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC 2022-11-24 10:28:25 +01:00
seq ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event 2023-02-01 15:21:51 +01:00
Kconfig
Makefile
compress_offload.c
control.c
control_compat.c ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 2023-02-01 15:23:45 +01:00
ctljack.c
device.c
hrtimer.c
hwdep.c
hwdep_compat.c
info.c ALSA: info: Fix llseek return value when using callback 2022-10-17 15:01:34 +02:00
info_oss.c
init.c
isadma.c
jack.c
memalloc.c ALSA: memalloc: Align buffer allocations in page size 2022-09-16 11:00:01 +02:00
memory.c
misc.c ALSA: core: Add async signal helpers 2022-10-17 15:02:02 +02:00
pcm.c
pcm_compat.c
pcm_dmaengine.c ALSA: dmaengine: increment buffer pointer atomically 2023-01-06 08:43:57 -08:00
pcm_drm_eld.c
pcm_iec958.c
pcm_lib.c
pcm_local.h
pcm_memory.c
pcm_misc.c
pcm_native.c
pcm_param_trace.h
pcm_timer.c
pcm_trace.h
rawmidi.c ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() 2023-01-06 08:43:51 -08:00
rawmidi_compat.c
seq_device.c
sgbuf.c
sound.c
sound_oss.c ALSA: oss: Fix potential deadlock at unregistration 2023-01-06 08:43:51 -08:00
timer.c ALSA: timer: Use deferred fasync helper 2022-10-17 15:02:03 +02:00
timer_compat.c
vmaster.c