From patchwork Tue Feb 14 23:56:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1742641 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ppWiUx4I; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PGdRD4kRRz23yb for ; Wed, 15 Feb 2023 10:56:56 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pS5AG-0007rJ-PM; Tue, 14 Feb 2023 23:56:48 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pS5AC-0007qq-NU for kernel-team@lists.ubuntu.com; Tue, 14 Feb 2023 23:56:44 +0000 Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 507473F5E4 for ; Tue, 14 Feb 2023 23:56:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1676419004; bh=zL2BDi1SveoKFy/1YGrwyHNghgsCp8SdERyREgjzLj8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ppWiUx4Is/SaN57h/UEe06RaMNLu7AByieNfpJMPssrFC3oGS8HHgSU2mV1JjdxGD aWVbYUzzIR8k9Rjh8cvihNNixWky4BklArlWS5V3zde8NtzxnGFqCJhkxr4vK/2x7y 5N93W1wdfYTYm+PS1Tos7JisOmzp23ppX3bWmtvD6Lcp3YXOjkr48yDmQN15d05geu Bjbl/0FFtj5x7fAv43LHwXsbRpR5IOCCGm0LfnrFLE3dOaej2OAScRI/CMnssfrkvR xQW03n8wQHF+XnNrDhdB+o/IjGKgAT2W2ZvQguUHuX3bk5dZqBxdrGMuS0x8UMURmO FRSqVKNtFoOvQ== Received: by mail-qv1-f70.google.com with SMTP id dz7-20020ad45887000000b0056e9274a7e1so7539976qvb.5 for ; Tue, 14 Feb 2023 15:56:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zL2BDi1SveoKFy/1YGrwyHNghgsCp8SdERyREgjzLj8=; b=x0noS2vZuRBKitKIf6zKhBiHzTtI8M/QzFc075V+6LGyT638UroOkJ6wXY3XSew4Cu BNH6y7e0QwqGJ5fSshz7WX+mjJoX7NQMlJtlk+1kzpORf5mb1AyLZ6NF+tm6Pfrd4/Bz K9FINmNt0WccLRq5CengWivWaCmI6Kcm/rm6KFT+banns54EQ4Nbu2yAnfGUf+6ToFN4 eiaKSlRsWhmlcY765QuTfypHLDYinDQ5Xoe61FTmtfTMCoSoLlgDCsJXI46tbaRdPpaF LHNctt0EuKjPghX0ZlUwgp5jDPGJf9cuWSlZoYa6RZesO8FHumAVv4fKbyG7ntEs6pSk +SIQ== X-Gm-Message-State: AO0yUKUlAtP7gGPJSzBYeA9955GpszR08713i+iewNXE1fWP1gz4qBz+ eC2ZRbb/Cg/wV/C/OMLYNE8gxTRy79Nn7NgflyTIURm7dgOhI1xSJI33Gi9alwHU7xnwPCRv4BR Un5NDQHjgdiKQK2ZT+5LtfGUK6/YHFsAumGOhya6bhyw9WWw= X-Received: by 2002:ad4:5961:0:b0:53a:5812:1434 with SMTP id eq1-20020ad45961000000b0053a58121434mr673675qvb.16.1676419002563; Tue, 14 Feb 2023 15:56:42 -0800 (PST) X-Google-Smtp-Source: AK7set+QCZsO7tbIsNzufPVMSiCDLXZGgtntBM+L4jYg5udFGfZpHsNvw8TxRruN7J3kaudgddPp0Q== X-Received: by 2002:ad4:5961:0:b0:53a:5812:1434 with SMTP id eq1-20020ad45961000000b0053a58121434mr673658qvb.16.1676419002238; Tue, 14 Feb 2023 15:56:42 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:a9f6:59cc:171e:b61a]) by smtp.gmail.com with ESMTPSA id j64-20020a378743000000b0073b275607f0sm7712125qkd.65.2023.02.14.15.56.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Feb 2023 15:56:41 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][J/K][PATCH 1/1] ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF Date: Tue, 14 Feb 2023 18:56:38 -0500 Message-Id: <20230214235638.28911-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230214235638.28911-1-yuxuan.luo@canonical.com> References: <20230214235638.28911-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Clement Lecigne Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai (cherry picked from commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e) CVE-2023-0266 Signed-off-by: Yuxuan Luo --- sound/core/control.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/sound/core/control.c b/sound/core/control.c index f66fe4be30d35..b83ec284d6114 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1067,14 +1067,19 @@ static int snd_ctl_elem_read(struct snd_card *card, const u32 pattern = 0xdeadbeef; int ret; + down_read(&card->controls_rwsem); kctl = snd_ctl_find_id(card, &control->id); - if (kctl == NULL) - return -ENOENT; + if (kctl == NULL) { + ret = -ENOENT; + goto unlock; + } index_offset = snd_ctl_get_ioff(kctl, &control->id); vd = &kctl->vd[index_offset]; - if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) - return -EPERM; + if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) { + ret = -EPERM; + goto unlock; + } snd_ctl_build_ioff(&control->id, kctl, index_offset); @@ -1084,7 +1089,7 @@ static int snd_ctl_elem_read(struct snd_card *card, info.id = control->id; ret = __snd_ctl_elem_info(card, kctl, &info, NULL); if (ret < 0) - return ret; + goto unlock; #endif if (!snd_ctl_skip_validation(&info)) @@ -1094,7 +1099,7 @@ static int snd_ctl_elem_read(struct snd_card *card, ret = kctl->get(kctl, control); snd_power_unref(card); if (ret < 0) - return ret; + goto unlock; if (!snd_ctl_skip_validation(&info) && sanity_check_elem_value(card, control, &info, pattern) < 0) { dev_err(card->dev, @@ -1102,8 +1107,11 @@ static int snd_ctl_elem_read(struct snd_card *card, control->id.iface, control->id.device, control->id.subdevice, control->id.name, control->id.index); - return -EINVAL; + ret = -EINVAL; + goto unlock; } +unlock: + up_read(&card->controls_rwsem); return ret; } @@ -1117,9 +1125,7 @@ static int snd_ctl_elem_read_user(struct snd_card *card, if (IS_ERR(control)) return PTR_ERR(control); - down_read(&card->controls_rwsem); result = snd_ctl_elem_read(card, control); - up_read(&card->controls_rwsem); if (result < 0) goto error;