Bug 2163379 (CVE-2023-0266)

Summary: CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, arachman, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, fhrbata, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kechoi, kernel-mgr, kpatch-maint, lgoncalv, lleshchi, lveyde, lzampier, michal.skrivanek, mperina, nmurray, ptalbert, qzhao, rhandlin, rogbas, rvrbovsk, sbonazzo, scweaver, tyberry, vkumar, vsroka, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.2 RC4 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in snd_ctl_elem_read in sound/core/control.c in Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. In this flaw a normal privileged, local attacker may impact the system due to a locking issue in the compat path, leading to a kernel information leak problem.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-10 13:01:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2125540, 2163389, 2163390, 2163391, 2163392, 2163393, 2163394, 2163395, 2163396, 2163397, 2163399, 2163400, 2163401, 2163402, 2163403, 2163404, 2163405, 2163406, 2163409, 2163410, 2163411, 2163412, 2163413, 2163414, 2163415, 2175635    
Bug Blocks: 2162737    

Description Rohit Keshri 2023-01-23 10:30:14 UTC 
A use-after-free flaw was found in snd_ctl_elem_read in sound/core/control.c in Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. In this flaw a normal privileged, local attacker may impact the system due to a locking issue in the compat path, leading to a kernel information leak problem.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56b88b50565cd8b946a2d00b0c83927b7ebb055e
Comment 6 errata-xmlrpc 2023-03-14 13:53:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1202 https://access.redhat.com/errata/RHSA-2023:1202
Comment 7 errata-xmlrpc 2023-03-14 13:54:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1203 https://access.redhat.com/errata/RHSA-2023:1203
Comment 8 errata-xmlrpc 2023-03-23 09:03:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1435 https://access.redhat.com/errata/RHSA-2023:1435
Comment 9 errata-xmlrpc 2023-03-27 08:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1469 https://access.redhat.com/errata/RHSA-2023:1469
Comment 10 errata-xmlrpc 2023-03-27 08:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1471 https://access.redhat.com/errata/RHSA-2023:1471
Comment 11 errata-xmlrpc 2023-03-27 08:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1470 https://access.redhat.com/errata/RHSA-2023:1470
Comment 13 kechoi 2023-03-31 20:47:24 UTC 
A customer is waiting on a fix for RHEL 8.7. Will the fix be backported to RHEL 8? Are there any mitigation steps available?
Comment 16 errata-xmlrpc 2023-04-04 06:52:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1556 https://access.redhat.com/errata/RHSA-2023:1556
Comment 17 errata-xmlrpc 2023-04-04 06:53:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1554 https://access.redhat.com/errata/RHSA-2023:1554
Comment 18 errata-xmlrpc 2023-04-04 06:54:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1560 https://access.redhat.com/errata/RHSA-2023:1560
Comment 19 errata-xmlrpc 2023-04-04 06:55:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1557 https://access.redhat.com/errata/RHSA-2023:1557
Comment 20 errata-xmlrpc 2023-04-04 06:55:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1559 https://access.redhat.com/errata/RHSA-2023:1559
Comment 21 errata-xmlrpc 2023-04-04 09:05:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1584 https://access.redhat.com/errata/RHSA-2023:1584
Comment 22 errata-xmlrpc 2023-04-04 09:07:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1588 https://access.redhat.com/errata/RHSA-2023:1588
Comment 23 errata-xmlrpc 2023-04-04 09:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1590 https://access.redhat.com/errata/RHSA-2023:1590
Comment 24 errata-xmlrpc 2023-04-04 09:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1566 https://access.redhat.com/errata/RHSA-2023:1566
Comment 25 Rohit Keshri 2023-04-04 12:20:24 UTC 
In reply to comment #13:
> A customer is waiting on a fix for RHEL 8.7. Will the fix be backported to
> RHEL 8? Are there any mitigation steps available?

Hello, Yes we has this fixed for RHEL 8.7, please refer to the CVE page as well for more information. Thank you.
Comment 26 errata-xmlrpc 2023-04-05 13:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1662 https://access.redhat.com/errata/RHSA-2023:1662
Comment 27 errata-xmlrpc 2023-04-05 13:43:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660
Comment 28 errata-xmlrpc 2023-04-05 14:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1659 https://access.redhat.com/errata/RHSA-2023:1659
Comment 29 errata-xmlrpc 2023-04-05 16:16:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:1666 https://access.redhat.com/errata/RHSA-2023:1666
Comment 30 errata-xmlrpc 2023-04-10 01:30:31 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:1677 https://access.redhat.com/errata/RHSA-2023:1677
Comment 31 Marco Benatto 2023-04-10 13:01:29 UTC 
Closing this bug as most of the fixes were already delivered through erratas.