|
 |
7e21e5 |
From 6cfa68ca747bc4fe8978bcf92c3d894e95c05022 Mon Sep 17 00:00:00 2001
|
|
|
7e21e5 |
From: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
7e21e5 |
Date: Fri, 17 Feb 2023 10:33:05 -0500
|
|
|
7e21e5 |
Subject: [KPATCH CVE-2023-0266] kpatch fixes for CVE-2023-0266
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Kernels:
|
|
|
7e21e5 |
4.18.0-425.3.1.el8
|
|
|
7e21e5 |
4.18.0-425.10.1.el8_7
|
|
|
7e21e5 |
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/87
|
|
|
7e21e5 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
7e21e5 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
7e21e5 |
Changes since last build:
|
|
|
7e21e5 |
[x86_64]:
|
|
|
7e21e5 |
control.o: changed function: snd_ctl_elem_read
|
|
|
7e21e5 |
control.o: changed function: snd_ctl_ioctl
|
|
|
7e21e5 |
sysctl.o: changed function: __do_proc_dointvec
|
|
|
7e21e5 |
sysctl.o: changed function: __do_proc_douintvec
|
|
|
7e21e5 |
sysctl.o: changed function: __do_proc_doulongvec_minmax
|
|
|
7e21e5 |
sysctl.o: changed function: proc_get_long.constprop.14
|
|
|
7e21e5 |
|
|
|
7e21e5 |
[ppc64le]:
|
|
|
7e21e5 |
control.o: changed function: snd_ctl_elem_read
|
|
|
7e21e5 |
control.o: changed function: snd_ctl_ioctl
|
|
|
7e21e5 |
sysctl.o: changed function: __do_proc_dointvec
|
|
|
7e21e5 |
sysctl.o: changed function: __do_proc_doulongvec_minmax
|
|
|
7e21e5 |
sysctl.o: changed function: proc_dopipe_max_size
|
|
|
7e21e5 |
sysctl.o: changed function: proc_douintvec
|
|
|
7e21e5 |
sysctl.o: changed function: proc_douintvec_minmax
|
|
|
7e21e5 |
sysctl.o: changed function: proc_get_long.constprop.14
|
|
|
7e21e5 |
|
|
|
7e21e5 |
---------------------------
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Modifications: none
|
|
|
7e21e5 |
|
|
|
7e21e5 |
commit 28e15c1ec38154a006589fb8eb40fcab1eea97ce
|
|
|
7e21e5 |
Author: Jaroslav Kysela <jkysela@redhat.com>
|
|
|
7e21e5 |
Date: Thu Feb 9 09:10:34 2023 +0100
|
|
|
7e21e5 |
|
|
|
7e21e5 |
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user
|
|
|
7e21e5 |
like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce
|
|
|
7e21e5 |
snd_ctl_notify_one() helper"). Doing this way we are also fixing the following
|
|
|
7e21e5 |
locking issue happening in the compat path which can be easily triggered and
|
|
|
7e21e5 |
turned into an use-after-free.
|
|
|
7e21e5 |
|
|
|
7e21e5 |
64-bits:
|
|
|
7e21e5 |
snd_ctl_ioctl
|
|
|
7e21e5 |
snd_ctl_elem_read_user
|
|
|
7e21e5 |
[takes controls_rwsem]
|
|
|
7e21e5 |
snd_ctl_elem_read [lock properly held, all good]
|
|
|
7e21e5 |
[drops controls_rwsem]
|
|
|
7e21e5 |
|
|
|
7e21e5 |
32-bits:
|
|
|
7e21e5 |
snd_ctl_ioctl_compat
|
|
|
7e21e5 |
snd_ctl_elem_write_read_compat
|
|
|
7e21e5 |
ctl_elem_write_read
|
|
|
7e21e5 |
snd_ctl_elem_read [missing lock, not good]
|
|
|
7e21e5 |
|
|
|
7e21e5 |
CVE-2023-0266 was assigned for this issue.
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Cc: stable@kernel.org # 5.13+
|
|
|
7e21e5 |
Signed-off-by: Clement Lecigne <clecigne@google.com>
|
|
|
7e21e5 |
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
|
|
|
7e21e5 |
Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de
|
|
|
7e21e5 |
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Author: Clement Lecigne <clecigne@google.com>
|
|
|
7e21e5 |
Date: Fri Jan 13 13:07:45 2023 +0100
|
|
|
7e21e5 |
|
|
|
7e21e5 |
CVE: CVE-2023-0266
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>
|
|
|
7e21e5 |
(cherry picked from commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e)
|
|
|
7e21e5 |
Bugzilla: https://bugzilla.redhat.com/2163400
|
|
|
7e21e5 |
|
|
|
7e21e5 |
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
7e21e5 |
---
|
|
|
7e21e5 |
sound/core/control.c | 24 +++++++++++++++---------
|
|
|
7e21e5 |
1 file changed, 15 insertions(+), 9 deletions(-)
|
|
|
7e21e5 |
|
|
|
7e21e5 |
diff --git a/sound/core/control.c b/sound/core/control.c
|
|
|
7e21e5 |
index 92fa122941a7..00c86f4d9063 100644
|
|
|
7e21e5 |
--- a/sound/core/control.c
|
|
|
7e21e5 |
+++ b/sound/core/control.c
|
|
|
7e21e5 |
@@ -1066,14 +1066,19 @@ static int snd_ctl_elem_read(struct snd_card *card,
|
|
|
7e21e5 |
const u32 pattern = 0xdeadbeef;
|
|
|
7e21e5 |
int ret;
|
|
|
7e21e5 |
|
|
|
7e21e5 |
+ down_read(&card->controls_rwsem);
|
|
|
7e21e5 |
kctl = snd_ctl_find_id(card, &control->id);
|
|
|
7e21e5 |
- if (kctl == NULL)
|
|
|
7e21e5 |
- return -ENOENT;
|
|
|
7e21e5 |
+ if (kctl == NULL) {
|
|
|
7e21e5 |
+ ret = -ENOENT;
|
|
|
7e21e5 |
+ goto unlock;
|
|
|
7e21e5 |
+ }
|
|
|
7e21e5 |
|
|
|
7e21e5 |
index_offset = snd_ctl_get_ioff(kctl, &control->id);
|
|
|
7e21e5 |
vd = &kctl->vd[index_offset];
|
|
|
7e21e5 |
- if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL)
|
|
|
7e21e5 |
- return -EPERM;
|
|
|
7e21e5 |
+ if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) {
|
|
|
7e21e5 |
+ ret = -EPERM;
|
|
|
7e21e5 |
+ goto unlock;
|
|
|
7e21e5 |
+ }
|
|
|
7e21e5 |
|
|
|
7e21e5 |
snd_ctl_build_ioff(&control->id, kctl, index_offset);
|
|
|
7e21e5 |
|
|
|
7e21e5 |
@@ -1083,7 +1088,7 @@ static int snd_ctl_elem_read(struct snd_card *card,
|
|
|
7e21e5 |
info.id = control->id;
|
|
|
7e21e5 |
ret = __snd_ctl_elem_info(card, kctl, &info, NULL);
|
|
|
7e21e5 |
if (ret < 0)
|
|
|
7e21e5 |
- return ret;
|
|
|
7e21e5 |
+ goto unlock;
|
|
|
7e21e5 |
#endif
|
|
|
7e21e5 |
|
|
|
7e21e5 |
if (!snd_ctl_skip_validation(&info))
|
|
|
7e21e5 |
@@ -1093,7 +1098,7 @@ static int snd_ctl_elem_read(struct snd_card *card,
|
|
|
7e21e5 |
ret = kctl->get(kctl, control);
|
|
|
7e21e5 |
snd_power_unref(card);
|
|
|
7e21e5 |
if (ret < 0)
|
|
|
7e21e5 |
- return ret;
|
|
|
7e21e5 |
+ goto unlock;
|
|
|
7e21e5 |
if (!snd_ctl_skip_validation(&info) &&
|
|
|
7e21e5 |
sanity_check_elem_value(card, control, &info, pattern) < 0) {
|
|
|
7e21e5 |
dev_err(card->dev,
|
|
|
7e21e5 |
@@ -1101,8 +1106,11 @@ static int snd_ctl_elem_read(struct snd_card *card,
|
|
|
7e21e5 |
control->id.iface, control->id.device,
|
|
|
7e21e5 |
control->id.subdevice, control->id.name,
|
|
|
7e21e5 |
control->id.index);
|
|
|
7e21e5 |
- return -EINVAL;
|
|
|
7e21e5 |
+ ret = -EINVAL;
|
|
|
7e21e5 |
+ goto unlock;
|
|
|
7e21e5 |
}
|
|
|
7e21e5 |
+unlock:
|
|
|
7e21e5 |
+ up_read(&card->controls_rwsem);
|
|
|
7e21e5 |
return ret;
|
|
|
7e21e5 |
}
|
|
|
7e21e5 |
|
|
|
7e21e5 |
@@ -1116,9 +1124,7 @@ static int snd_ctl_elem_read_user(struct snd_card *card,
|
|
|
7e21e5 |
if (IS_ERR(control))
|
|
|
7e21e5 |
return PTR_ERR(control);
|
|
|
7e21e5 |
|
|
|
7e21e5 |
- down_read(&card->controls_rwsem);
|
|
|
7e21e5 |
result = snd_ctl_elem_read(card, control);
|
|
|
7e21e5 |
- up_read(&card->controls_rwsem);
|
|
|
7e21e5 |
if (result < 0)
|
|
|
7e21e5 |
goto error;
|
|
|
7e21e5 |
|
|
|
7e21e5 |
--
|
|
|
7e21e5 |
2.39.2
|
|
|
7e21e5 |
|
|
|
7e21e5 |
|