From 6cfa68ca747bc4fe8978bcf92c3d894e95c05022 Mon Sep 17 00:00:00 2001 From: Ryan Sullivan Date: Fri, 17 Feb 2023 10:33:05 -0500 Subject: [KPATCH CVE-2023-0266] kpatch fixes for CVE-2023-0266 Kernels: 4.18.0-425.3.1.el8 4.18.0-425.10.1.el8_7 Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/87 Approved-by: Yannick Cote (@ycote1) Approved-by: Joe Lawrence (@joe.lawrence) Changes since last build: [x86_64]: control.o: changed function: snd_ctl_elem_read control.o: changed function: snd_ctl_ioctl sysctl.o: changed function: __do_proc_dointvec sysctl.o: changed function: __do_proc_douintvec sysctl.o: changed function: __do_proc_doulongvec_minmax sysctl.o: changed function: proc_get_long.constprop.14 [ppc64le]: control.o: changed function: snd_ctl_elem_read control.o: changed function: snd_ctl_ioctl sysctl.o: changed function: __do_proc_dointvec sysctl.o: changed function: __do_proc_doulongvec_minmax sysctl.o: changed function: proc_dopipe_max_size sysctl.o: changed function: proc_douintvec sysctl.o: changed function: proc_douintvec_minmax sysctl.o: changed function: proc_get_long.constprop.14 --------------------------- Modifications: none commit 28e15c1ec38154a006589fb8eb40fcab1eea97ce Author: Jaroslav Kysela Date: Thu Feb 9 09:10:34 2023 +0100 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai Author: Clement Lecigne Date: Fri Jan 13 13:07:45 2023 +0100 CVE: CVE-2023-0266 Signed-off-by: Jaroslav Kysela (cherry picked from commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e) Bugzilla: https://bugzilla.redhat.com/2163400 Signed-off-by: Ryan Sullivan --- sound/core/control.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/sound/core/control.c b/sound/core/control.c index 92fa122941a7..00c86f4d9063 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1066,14 +1066,19 @@ static int snd_ctl_elem_read(struct snd_card *card, const u32 pattern = 0xdeadbeef; int ret; + down_read(&card->controls_rwsem); kctl = snd_ctl_find_id(card, &control->id); - if (kctl == NULL) - return -ENOENT; + if (kctl == NULL) { + ret = -ENOENT; + goto unlock; + } index_offset = snd_ctl_get_ioff(kctl, &control->id); vd = &kctl->vd[index_offset]; - if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) - return -EPERM; + if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) { + ret = -EPERM; + goto unlock; + } snd_ctl_build_ioff(&control->id, kctl, index_offset); @@ -1083,7 +1088,7 @@ static int snd_ctl_elem_read(struct snd_card *card, info.id = control->id; ret = __snd_ctl_elem_info(card, kctl, &info, NULL); if (ret < 0) - return ret; + goto unlock; #endif if (!snd_ctl_skip_validation(&info)) @@ -1093,7 +1098,7 @@ static int snd_ctl_elem_read(struct snd_card *card, ret = kctl->get(kctl, control); snd_power_unref(card); if (ret < 0) - return ret; + goto unlock; if (!snd_ctl_skip_validation(&info) && sanity_check_elem_value(card, control, &info, pattern) < 0) { dev_err(card->dev, @@ -1101,8 +1106,11 @@ static int snd_ctl_elem_read(struct snd_card *card, control->id.iface, control->id.device, control->id.subdevice, control->id.name, control->id.index); - return -EINVAL; + ret = -EINVAL; + goto unlock; } +unlock: + up_read(&card->controls_rwsem); return ret; } @@ -1116,9 +1124,7 @@ static int snd_ctl_elem_read_user(struct snd_card *card, if (IS_ERR(control)) return PTR_ERR(control); - down_read(&card->controls_rwsem); result = snd_ctl_elem_read(card, control); - up_read(&card->controls_rwsem); if (result < 0) goto error; -- 2.39.2