android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6644685f79
android_kernel_asus_sm8350/sound/core
History
Clement Lecigne eaa5580a74 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 
[ Note: this is a fix that works around the bug equivalently as the
  two upstream commits:
   1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
   56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
  but in a simpler way to fit with older stable trees -- tiwai ]

Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
easily triggered and turned into an use-after-free.

Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:

64-bits:
snd_ctl_ioctl
  snd_ctl_elem_read_user
    [takes controls_rwsem]
    snd_ctl_elem_read [lock properly held, all good]
    [drops controls_rwsem]

32-bits (compat):
snd_ctl_ioctl_compat
  snd_ctl_elem_write_read_compat
    ctl_elem_write_read
      snd_ctl_elem_read [missing lock, not good]

CVE-2023-0266 was assigned for this issue.

Signed-off-by: Clement Lecigne <clecigne@google.com>
Cc: stable@kernel.org # 5.12 and older
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-18 11:42:01 +01:00
..
oss ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC 2022-09-28 11:03:57 +02:00
seq ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event 2022-12-14 11:30:41 +01:00
compress_offload.c ALSA: compress: fix partial_drain completion state 2020-07-16 08:16:39 +02:00
control_compat.c ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 2023-01-18 11:42:01 +01:00
control.c ALSA: ctl: fix error path at adding user-defined element set 2020-11-24 13:29:20 +01:00
ctljack.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
device.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hrtimer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hwdep_compat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
hwdep.c ALSA: hwdep: fix a left shifting 1 by 31 UB bug 2020-06-03 08:21:22 +02:00
info_oss.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
info.c ALSA: info: Fix llseek return value when using callback 2022-08-25 11:18:18 +02:00
init.c ALSA: core: remove redundant spin_lock pair in snd_card_disconnect 2021-05-14 09:44:26 +02:00
isadma.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
jack.c ALSA: jack: Access input_dev under mutex 2022-06-14 18:11:25 +02:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile ALSA: ISA: not for M68K 2021-11-26 10:47:16 +01:00
memalloc.c ALSA: memalloc: Align buffer allocations in page size 2022-07-29 17:14:18 +02:00
memory.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
misc.c ALSA: core: Add async signal helpers 2022-08-25 11:18:37 +02:00
pcm_compat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
pcm_dmaengine.c ALSA: dmaengine: increment buffer pointer atomically 2022-10-26 13:22:30 +02:00
pcm_drm_eld.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcm_iec958.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcm_lib.c ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock 2022-05-12 12:23:49 +02:00
pcm_local.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 345 2019-06-05 17:37:08 +02:00
pcm_memory.c ALSA: pcm: Fix races among concurrent prealloc proc writes 2022-05-12 12:23:49 +02:00
pcm_misc.c ALSA: pcm: Test for "silence" field in struct "pcm_format_data" 2022-04-20 09:19:38 +02:00
pcm_native.c ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock 2022-05-12 12:23:49 +02:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm.c ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock 2022-05-12 12:23:49 +02:00
rawmidi_compat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
rawmidi.c ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() 2022-10-26 13:22:10 +02:00
seq_device.c ALSA: seq: Fix a potential UAF by wrong private_free call order 2021-10-20 11:40:12 +02:00
sgbuf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
sound_oss.c ALSA: oss: Fix potential deadlock at unregistration 2022-10-26 13:22:10 +02:00
sound.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
timer_compat.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
timer.c ALSA: timer: Use deferred fasync helper 2022-08-25 11:18:38 +02:00
vmaster.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00