From 6cfa68ca747bc4fe8978bcf92c3d894e95c05022 Mon Sep 17 00:00:00 2001

From: Ryan Sullivan <rysulliv@redhat.com>

Date: Fri, 17 Feb 2023 10:33:05 -0500

Subject: [KPATCH CVE-2023-0266] kpatch fixes for CVE-2023-0266

Kernels:

4.18.0-425.3.1.el8

4.18.0-425.10.1.el8_7

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/87

Approved-by: Yannick Cote (@ycote1)

Approved-by: Joe Lawrence (@joe.lawrence)

Changes since last build:

[x86_64]:

control.o: changed function: snd_ctl_elem_read

control.o: changed function: snd_ctl_ioctl

sysctl.o: changed function: __do_proc_dointvec

sysctl.o: changed function: __do_proc_douintvec

sysctl.o: changed function: __do_proc_doulongvec_minmax

sysctl.o: changed function: proc_get_long.constprop.14

[ppc64le]:

control.o: changed function: snd_ctl_elem_read

control.o: changed function: snd_ctl_ioctl

sysctl.o: changed function: __do_proc_dointvec

sysctl.o: changed function: __do_proc_doulongvec_minmax

sysctl.o: changed function: proc_dopipe_max_size

sysctl.o: changed function: proc_douintvec

sysctl.o: changed function: proc_douintvec_minmax

sysctl.o: changed function: proc_get_long.constprop.14

---------------------------

Modifications: none

commit 28e15c1ec38154a006589fb8eb40fcab1eea97ce

Author: Jaroslav Kysela <jkysela@redhat.com>

Date:   Thu Feb 9 09:10:34 2023 +0100

    ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

    Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user

    like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce

    snd_ctl_notify_one() helper"). Doing this way we are also fixing the following

    locking issue happening in the compat path which can be easily triggered and

    turned into an use-after-free.

    64-bits:

    snd_ctl_ioctl

      snd_ctl_elem_read_user

        [takes controls_rwsem]

        snd_ctl_elem_read [lock properly held, all good]

        [drops controls_rwsem]

    32-bits:

    snd_ctl_ioctl_compat

      snd_ctl_elem_write_read_compat

        ctl_elem_write_read

          snd_ctl_elem_read [missing lock, not good]

    CVE-2023-0266 was assigned for this issue.

        Cc: stable@kernel.org # 5.13+

        Signed-off-by: Clement Lecigne <clecigne@google.com>

        Reviewed-by: Jaroslav Kysela <perex@perex.cz>

        Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de

        Signed-off-by: Takashi Iwai <tiwai@suse.de>

    Author: Clement Lecigne <clecigne@google.com>

    Date: Fri Jan 13 13:07:45 2023 +0100

    CVE: CVE-2023-0266

    Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>

    (cherry picked from commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e)

    Bugzilla: https://bugzilla.redhat.com/2163400

Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>

---

 sound/core/control.c | 24 +++++++++++++++---------

 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/sound/core/control.c b/sound/core/control.c

index 92fa122941a7..00c86f4d9063 100644

--- a/sound/core/control.c

+++ b/sound/core/control.c

@@ -1066,14 +1066,19 @@ static int snd_ctl_elem_read(struct snd_card *card,

 	const u32 pattern = 0xdeadbeef;

 	int ret;

+	down_read(&card->controls_rwsem);

 	kctl = snd_ctl_find_id(card, &control->id);

-	if (kctl == NULL)

-		return -ENOENT;

+	if (kctl == NULL) {

+		ret = -ENOENT;

+		goto unlock;

+	}

 	index_offset = snd_ctl_get_ioff(kctl, &control->id);

 	vd = &kctl->vd[index_offset];

-	if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL)

-		return -EPERM;

+	if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) {

+		ret = -EPERM;

+		goto unlock;

+	}

 	snd_ctl_build_ioff(&control->id, kctl, index_offset);

@@ -1083,7 +1088,7 @@ static int snd_ctl_elem_read(struct snd_card *card,

 	info.id = control->id;

 	ret = __snd_ctl_elem_info(card, kctl, &info, NULL);

 	if (ret < 0)

-		return ret;

+		goto unlock;

 #endif

 	if (!snd_ctl_skip_validation(&info))

@@ -1093,7 +1098,7 @@ static int snd_ctl_elem_read(struct snd_card *card,

 		ret = kctl->get(kctl, control);

 	snd_power_unref(card);

 	if (ret < 0)

-		return ret;

+		goto unlock;

 	if (!snd_ctl_skip_validation(&info) &&

 	    sanity_check_elem_value(card, control, &info, pattern) < 0) {

 		dev_err(card->dev,

@@ -1101,8 +1106,11 @@ static int snd_ctl_elem_read(struct snd_card *card,

 			control->id.iface, control->id.device,

 			control->id.subdevice, control->id.name,

 			control->id.index);

-		return -EINVAL;

+		ret = -EINVAL;

+		goto unlock;

 	}

+unlock:

+	up_read(&card->controls_rwsem);

 	return ret;

 }

@@ -1116,9 +1124,7 @@ static int snd_ctl_elem_read_user(struct snd_card *card,

 	if (IS_ERR(control))

 		return PTR_ERR(control);

-	down_read(&card->controls_rwsem);

 	result = snd_ctl_elem_read(card, control);

-	up_read(&card->controls_rwsem);

 	if (result < 0)

 		goto error;

-- 

2.39.2