diff options
author | Clement Lecigne <clecigne@google.com> | 2023-01-13 13:07:45 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-01-18 11:30:52 +0100 |
commit | 5b2ea7e91352165054c5b3f8e5442cd31c3e73f9 (patch) | |
tree | 06e827e5bac89891d19b2c82cbca0a93f8adadd2 /fs/cifs | |
parent | 755193f2523ce5157c2f844a4b6d16b95593f830 (diff) | |
download | linux-stable-5b2ea7e91352165054c5b3f8e5442cd31c3e73f9.tar.gz linux-stable-5b2ea7e91352165054c5b3f8e5442cd31c3e73f9.tar.bz2 linux-stable-5b2ea7e91352165054c5b3f8e5442cd31c3e73f9.zip |
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
[ Note: this is a fix that works around the bug equivalently as the
two upstream commits:
1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
but in a simpler way to fit with older stable trees -- tiwai ]
Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.
Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:
64-bits:
snd_ctl_ioctl
snd_ctl_elem_read_user
[takes controls_rwsem]
snd_ctl_elem_read [lock properly held, all good]
[drops controls_rwsem]
32-bits (compat):
snd_ctl_ioctl_compat
snd_ctl_elem_write_read_compat
ctl_elem_write_read
snd_ctl_elem_read [missing lock, not good]
CVE-2023-0266 was assigned for this issue.
Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/cifs')
0 files changed, 0 insertions, 0 deletions