summaryrefslogtreecommitdiffstats
path: root/sound/oss
diff options
context:
space:
mode:
authorClement Lecigne <clecigne@google.com>2023-01-13 13:07:45 +0100
committerTakashi Iwai <tiwai@suse.de>2023-01-13 14:15:26 +0100
commit56b88b50565cd8b946a2d00b0c83927b7ebb055e (patch)
tree43fee411773c5e23bea239684a8bca805db8c574 /sound/oss
parent92a9c0ad86d47ff4cce899012e355c400f02cfb8 (diff)
downloadlinux-56b88b50565cd8b946a2d00b0c83927b7ebb055e.tar.gz
linux-56b88b50565cd8b946a2d00b0c83927b7ebb055e.tar.bz2
linux-56b88b50565cd8b946a2d00b0c83927b7ebb055e.zip
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne <clecigne@google.com> Reviewed-by: Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/oss')
0 files changed, 0 insertions, 0 deletions