rpms / kpatch-patch-5_14_0-162_12_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2023-0266.patch

c9
  1.   c9
  2.   SOURCES
  3.   CVE-2023-0266.patch
Blob History Raw
fb1acb 
From 120548cde1d7642ff79d71827993e32babfb4e2f Mon Sep 17 00:00:00 2001
fb1acb 
From: Ryan Sullivan <rysulliv@redhat.com>
fb1acb 
Date: Fri, 17 Feb 2023 12:26:57 -0500
fb1acb 
Subject: [KPATCH CVE-2023-0266] kpatch fixes for CVE-2023-0266
fb1acb
fb1acb 
Kernels:
fb1acb 
5.14.0-162.6.1.el9_1
fb1acb 
5.14.0-162.12.1.el9_1
fb1acb
fb1acb
fb1acb 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/24
fb1acb 
Approved-by: Yannick Cote (@ycote1)
fb1acb 
Approved-by: Joe Lawrence (@joe.lawrence)
fb1acb 
Changes since last build:
fb1acb 
[x86_64]:
fb1acb 
control.o: changed function: snd_ctl_elem_read
fb1acb 
control.o: changed function: snd_ctl_ioctl
fb1acb 
dev.o: changed function: register_netdevice
fb1acb 
tun.o: changed function: tun_free_netdev
fb1acb 
tun.o: changed function: tun_set_iff.constprop.0
fb1acb 
tun.o: new function: kpp_cve_2022_4744_tun_net_init
fb1acb
fb1acb 
[ppc64le]:
fb1acb 
dev.o: changed function: register_netdevice
fb1acb 
tun.o: changed function: tun_free_netdev
fb1acb 
tun.o: changed function: tun_set_iff.constprop.0
fb1acb 
tun.o: new function: kpp_cve_2022_4744_tun_net_init
fb1acb
fb1acb 
---------------------------
fb1acb
fb1acb 
Modifications: none
fb1acb
fb1acb 
commit c0295d3bd6b49f47e30822a9de9c042020092424
fb1acb 
Author: Jaroslav Kysela <jkysela@redhat.com>
fb1acb 
Date:   Tue Jan 31 17:13:11 2023 +0100
fb1acb
fb1acb 
    ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
fb1acb
fb1acb 
    Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user
fb1acb 
    like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce
fb1acb 
    snd_ctl_notify_one() helper"). Doing this way we are also fixing the following
fb1acb 
    locking issue happening in the compat path which can be easily triggered and
fb1acb 
    turned into an use-after-free.
fb1acb
fb1acb 
    64-bits:
fb1acb 
    snd_ctl_ioctl
fb1acb 
      snd_ctl_elem_read_user
fb1acb 
        [takes controls_rwsem]
fb1acb 
        snd_ctl_elem_read [lock properly held, all good]
fb1acb 
        [drops controls_rwsem]
fb1acb
fb1acb 
    32-bits:
fb1acb 
    snd_ctl_ioctl_compat
fb1acb 
      snd_ctl_elem_write_read_compat
fb1acb 
        ctl_elem_write_read
fb1acb 
          snd_ctl_elem_read [missing lock, not good]
fb1acb
fb1acb 
    CVE-2023-0266 was assigned for this issue.
fb1acb
fb1acb 
        Cc: stable@kernel.org # 5.13+
fb1acb 
        Signed-off-by: Clement Lecigne <clecigne@google.com>
fb1acb 
        Reviewed-by: Jaroslav Kysela <perex@perex.cz>
fb1acb 
        Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de
fb1acb 
        Signed-off-by: Takashi Iwai <tiwai@suse.de>
fb1acb
fb1acb 
    Author: Clement Lecigne <clecigne@google.com>
fb1acb 
    Date: Fri Jan 13 13:07:45 2023 +0100
fb1acb
fb1acb 
    CVE: CVE-2023-0266
fb1acb
fb1acb 
    Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>
fb1acb 
    (cherry picked from commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e)
fb1acb 
    Bugzilla: https://bugzilla.redhat.com/2163390
fb1acb
fb1acb 
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
fb1acb 
---
fb1acb 
 sound/core/control.c | 24 +++++++++++++++---------
fb1acb 
 1 file changed, 15 insertions(+), 9 deletions(-)
fb1acb
fb1acb 
diff --git a/sound/core/control.c b/sound/core/control.c
fb1acb 
index a25c0d64d104..6e2a1e424627 100644
fb1acb 
--- a/sound/core/control.c
fb1acb 
+++ b/sound/core/control.c
fb1acb 
@@ -1066,14 +1066,19 @@ static int snd_ctl_elem_read(struct snd_card *card,
fb1acb 
 	const u32 pattern = 0xdeadbeef;
fb1acb 
 	int ret;
fb1acb
fb1acb 
+	down_read(&card->controls_rwsem);
fb1acb 
 	kctl = snd_ctl_find_id(card, &control->id);
fb1acb 
-	if (kctl == NULL)
fb1acb 
-		return -ENOENT;
fb1acb 
+	if (kctl == NULL) {
fb1acb 
+		ret = -ENOENT;
fb1acb 
+		goto unlock;
fb1acb 
+	}
fb1acb
fb1acb 
 	index_offset = snd_ctl_get_ioff(kctl, &control->id);
fb1acb 
 	vd = &kctl->vd[index_offset];
fb1acb 
-	if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL)
fb1acb 
-		return -EPERM;
fb1acb 
+	if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) {
fb1acb 
+		ret = -EPERM;
fb1acb 
+		goto unlock;
fb1acb 
+	}
fb1acb
fb1acb 
 	snd_ctl_build_ioff(&control->id, kctl, index_offset);
fb1acb
fb1acb 
@@ -1083,7 +1088,7 @@ static int snd_ctl_elem_read(struct snd_card *card,
fb1acb 
 	info.id = control->id;
fb1acb 
 	ret = __snd_ctl_elem_info(card, kctl, &info, NULL);
fb1acb 
 	if (ret < 0)
fb1acb 
-		return ret;
fb1acb 
+		goto unlock;
fb1acb 
 #endif
fb1acb
fb1acb 
 	if (!snd_ctl_skip_validation(&info))
fb1acb 
@@ -1093,7 +1098,7 @@ static int snd_ctl_elem_read(struct snd_card *card,
fb1acb 
 		ret = kctl->get(kctl, control);
fb1acb 
 	snd_power_unref(card);
fb1acb 
 	if (ret < 0)
fb1acb 
-		return ret;
fb1acb 
+		goto unlock;
fb1acb 
 	if (!snd_ctl_skip_validation(&info) &&
fb1acb 
 	    sanity_check_elem_value(card, control, &info, pattern) < 0) {
fb1acb 
 		dev_err(card->dev,
fb1acb 
@@ -1101,8 +1106,11 @@ static int snd_ctl_elem_read(struct snd_card *card,
fb1acb 
 			control->id.iface, control->id.device,
fb1acb 
 			control->id.subdevice, control->id.name,
fb1acb 
 			control->id.index);
fb1acb 
-		return -EINVAL;
fb1acb 
+		ret = -EINVAL;
fb1acb 
+		goto unlock;
fb1acb 
 	}
fb1acb 
+unlock:
fb1acb 
+	up_read(&card->controls_rwsem);
fb1acb 
 	return ret;
fb1acb 
 }
fb1acb
fb1acb 
@@ -1116,9 +1124,7 @@ static int snd_ctl_elem_read_user(struct snd_card *card,
fb1acb 
 	if (IS_ERR(control))
fb1acb 
 		return PTR_ERR(control);
fb1acb
fb1acb 
-	down_read(&card->controls_rwsem);
fb1acb 
 	result = snd_ctl_elem_read(card, control);
fb1acb 
-	up_read(&card->controls_rwsem);
fb1acb 
 	if (result < 0)
fb1acb 
 		goto error;
fb1acb
fb1acb 
--
fb1acb 
2.39.2
fb1acb
fb1acb

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation