[5.10.y] ALSA: pcm: Properly take rwsem lock in ctl_elem_read_user/ctl_elem_write_user to prevent UAF
| Message ID | 20230113142639.4420-1-tiwai@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp302415wrt;
Fri, 13 Jan 2023 06:34:17 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXvNAdYsO/AmG7tIhwgMvuVJ7UR6mRzD5d/N2NtUbJItbN/Sl34J4RQJ3JYX2RSlcNjyxgak
X-Received: by 2002:a17:907:c717:b0:7c1:ad6:638a with SMTP id
ty23-20020a170907c71700b007c10ad6638amr75710716ejc.17.1673620456875;
Fri, 13 Jan 2023 06:34:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673620456; cv=none;
d=google.com; s=arc-20160816;
b=ROU1kdQSoeDGXF89xkKLuWPymcExCQdYYGyZ9K0iNoZWU8ApF/O6yHRmbzURLidQe1
9Wr13qtIDHzMAjFVOhhvSfnNhu2oscNAAZ8v08D60nHjI5vhUKkmHutuJ+4TFLN2UWNx
s5/5cNhhMqiUrAPsNBrTfvzGyO8NCTaUzZdL9Oddp7wvrUY25bZBt1haQ6+gd2/ZZ6hF
88oQxe5CnqqvTT+RDbWW6XtBj+7t/lnaZCzL/k77Lq6D0yyP8+qxgE4I5evKapzow5vb
yOgxTnZcjEp507J6HOUVBh29ZJ9Z3RC/5nr3crgnoL2Yxo8+hYJcLQV9BDkB9DnaYDiI
DZqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=ZlT0bW1RT1S/RjUud1OHBkBdTWci8dCpwsYwHEA60CU=;
b=iBMOJ/mZPVceOC6mzYF82NuuWNDyTB4N2bWhEEn7uH9hDBESiHk0hLEjn/5HfjOGM9
6j4Q/+6ziaoNpzchI6o12t5aP8bSs29AcomfR4l17NqP6a32wcdx7ckn9VZ9dXaUZXmw
BxX5QXfjtGstJFL+eYXCwhtwnhholTJpV03XA5najig4LJVRbvGyzYMZs/KTBQAo65Ib
DmIBbk3iop9X8603ulCkSN1TYCk2jzaJiSqA/zlNYZ7oFcQt/EvFD/8CiH3gYYpAacq8
BKHBJZYnpNVliTowEiZHVEBxKvNBc9QFKLpzmoB61cWGzVlPiX181XA+bxA7D4edaITB
SRgA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Jtmx8qSh;
dkim=neutral (no key) header.i=@suse.de header.b=1XFKdmKo;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
be12-20020a1709070a4c00b007c087110276si21619229ejc.151.2023.01.13.06.33.52;
Fri, 13 Jan 2023 06:34:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Jtmx8qSh;
dkim=neutral (no key) header.i=@suse.de header.b=1XFKdmKo;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229862AbjAMOdY (ORCPT <rfc822;callmefire3@gmail.com>
+ 99 others); Fri, 13 Jan 2023 09:33:24 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56604 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229692AbjAMOcj (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 13 Jan 2023 09:32:39 -0500
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8416AEE20;
Fri, 13 Jan 2023 06:26:47 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out2.suse.de (Postfix) with ESMTPS id AEE356077A;
Fri, 13 Jan 2023 14:26:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1673620005;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ZlT0bW1RT1S/RjUud1OHBkBdTWci8dCpwsYwHEA60CU=;
b=Jtmx8qSh10mse1aghzGf5O2OJpk2ANrzQQJ5UjROd+nkGRzzkpW181UYRfbFuNUdiZx/AR
mP9smr3XuGiJPpkaCClRrUHpB5OLjkNkOmrbVeOKK3dxAkgSQRja2ayHRV2XxI7ks2di8b
3SXt2oNX2EI1jeRd4c+CBnjsuRMGNGg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1673620005;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=ZlT0bW1RT1S/RjUud1OHBkBdTWci8dCpwsYwHEA60CU=;
b=1XFKdmKo9XRjBZi/aLaSro2SdtveCWAwmQm5jYelTynOhKUoWeko+Nsx4AREXPY9iHKZt0
LaJJafmXd/Vr/FDQ==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 84F701358A;
Fri, 13 Jan 2023 14:26:45 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id DeG5HyVqwWOTGAAAMHmgww
(envelope-from <tiwai@suse.de>); Fri, 13 Jan 2023 14:26:45 +0000
From: Takashi Iwai <tiwai@suse.de>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
alsa-devel@alsa-project.org, Clement Lecigne <clecigne@google.com>
Subject: [PATCH 5.10.y] ALSA: pcm: Properly take rwsem lock in
ctl_elem_read_user/ctl_elem_write_user to prevent UAF
Date: Fri, 13 Jan 2023 15:26:39 +0100
Message-Id: <20230113142639.4420-1-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1754918243900747553?=
X-GMAIL-MSGID: =?utf-8?q?1754918243900747553?=
|
| Series |
[5.10.y] ALSA: pcm: Properly take rwsem lock in ctl_elem_read_user/ctl_elem_write_user to prevent UAF
|
|
Commit Message
Takashi Iwai
Jan. 13, 2023, 2:26 p.m. UTC
From: Clement Lecigne <clecigne@google.com> [ Note: this is a fix that works around the bug equivalently as the two upstream commits: 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") but in a simpler way to fit with older stable trees -- tiwai ] Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be easily triggered and turned into an use-after-free. Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits (compat): snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Signed-off-by: Clement Lecigne <clecigne@google.com> Cc: stable@kernel.org # 5.12 and older Signed-off-by: Takashi Iwai <tiwai@suse.de> --- Greg, this is a patch for the last ALSA PCM UCM fix for the older stable trees. Please take this to 5.10.y and older stable trees. Thanks! sound/core/control_compat.c | 4 ++++ 1 file changed, 4 insertions(+)
Comments
On 13. 01. 23 15:26, Takashi Iwai wrote: > From: Clement Lecigne <clecigne@google.com> > > [ Note: this is a fix that works around the bug equivalently as the > two upstream commits: > 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") > 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") > but in a simpler way to fit with older stable trees -- tiwai ] > > Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be > easily triggered and turned into an use-after-free. > > Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: > > 64-bits: > snd_ctl_ioctl > snd_ctl_elem_read_user > [takes controls_rwsem] > snd_ctl_elem_read [lock properly held, all good] > [drops controls_rwsem] > > 32-bits (compat): > snd_ctl_ioctl_compat > snd_ctl_elem_write_read_compat > ctl_elem_write_read > snd_ctl_elem_read [missing lock, not good] > > CVE-2023-0266 was assigned for this issue. > > Signed-off-by: Clement Lecigne <clecigne@google.com> > Cc: stable@kernel.org # 5.12 and older > Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-by: Jaroslav Kysela <perex@perex.cz>
On Fri, Jan 13, 2023 at 03:26:39PM +0100, Takashi Iwai wrote: > From: Clement Lecigne <clecigne@google.com> > > [ Note: this is a fix that works around the bug equivalently as the > two upstream commits: > 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") > 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") > but in a simpler way to fit with older stable trees -- tiwai ] Thanks for the backport, now queued up. greg k-h
diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c index 97467f6a32a1..980ab3580f1b 100644 --- a/sound/core/control_compat.c +++ b/sound/core/control_compat.c @@ -304,7 +304,9 @@ static int ctl_elem_read_user(struct snd_card *card, err = snd_power_wait(card, SNDRV_CTL_POWER_D0); if (err < 0) goto error; + down_read(&card->controls_rwsem); err = snd_ctl_elem_read(card, data); + up_read(&card->controls_rwsem); if (err < 0) goto error; err = copy_ctl_value_to_user(userdata, valuep, data, type, count); @@ -332,7 +334,9 @@ static int ctl_elem_write_user(struct snd_ctl_file *file, err = snd_power_wait(card, SNDRV_CTL_POWER_D0); if (err < 0) goto error; + down_write(&card->controls_rwsem); err = snd_ctl_elem_write(card, file, data); + up_write(&card->controls_rwsem); if (err < 0) goto error; err = copy_ctl_value_to_user(userdata, valuep, data, type, count);