Re: [PATCH 5.10.y] ALSA: pcm: Properly take rwsem lock in ctl_elem_read_user/ctl_elem_write_user to prevent UAF

[Jaroslav Kysela]

On 13. 01. 23 15:26, Takashi Iwai wrote:
> From: Clement Lecigne <clecigne@xxxxxxxxxx>
>
> [ Note: this is a fix that works around the bug equivalently as the
>    two upstream commits:
>     1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper")
>     56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF")
>    but in a simpler way to fit with older stable trees -- tiwai ]
>
> Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be
> easily triggered and turned into an use-after-free.
>
> Example code paths with SNDRV_CTL_IOCTL_ELEM_READ:
>
> 64-bits:
> snd_ctl_ioctl
>    snd_ctl_elem_read_user
>      [takes controls_rwsem]
>      snd_ctl_elem_read [lock properly held, all good]
>      [drops controls_rwsem]
>
> 32-bits (compat):
> snd_ctl_ioctl_compat
>    snd_ctl_elem_write_read_compat
>      ctl_elem_write_read
>        snd_ctl_elem_read [missing lock, not good]
>
> CVE-2023-0266 was assigned for this issue.
>
> Signed-off-by: Clement Lecigne <clecigne@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxx # 5.12 and older
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>

Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx>

--
Jaroslav Kysela <perex@xxxxxxxx>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.