Bug 2163379 (CVE-2023-0266) - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
Summary: CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-0266
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2125540 2163389 2163390 2163391 2163392 2163393 2163394 2163395 2163396 2163397 2163399 2163400 2163401 2163402 2163403 2163404 2163405 2163406 2163409 2163410 2163411 2163412 2163413 2163414 2163415 2175635
Blocks: 2162737
TreeView+ depends on / blocked
 
Reported: 2023-01-23 10:30 UTC by Rohit Keshri
Modified: 2023-06-14 17:36 UTC (History)
47 users (show)

Fixed In Version: Kernel 6.2 RC4
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in snd_ctl_elem_read in sound/core/control.c in Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. In this flaw a normal privileged, local attacker may impact the system due to a locking issue in the compat path, leading to a kernel information leak problem.
Clone Of:
Environment:
Last Closed: 2023-04-10 13:01:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1531 0 None None None 2023-03-30 08:51:00 UTC
Red Hat Product Errata RHBA-2023:1629 0 None None None 2023-04-04 15:16:24 UTC
Red Hat Product Errata RHSA-2023:1202 0 None None None 2023-03-14 13:53:58 UTC
Red Hat Product Errata RHSA-2023:1203 0 None None None 2023-03-14 13:54:13 UTC
Red Hat Product Errata RHSA-2023:1435 0 None None None 2023-03-23 09:03:46 UTC
Red Hat Product Errata RHSA-2023:1469 0 None None None 2023-03-27 08:11:18 UTC
Red Hat Product Errata RHSA-2023:1470 0 None None None 2023-03-27 08:29:04 UTC
Red Hat Product Errata RHSA-2023:1471 0 None None None 2023-03-27 08:12:55 UTC
Red Hat Product Errata RHSA-2023:1554 0 None None None 2023-04-04 06:53:20 UTC
Red Hat Product Errata RHSA-2023:1556 0 None None None 2023-04-04 06:52:17 UTC
Red Hat Product Errata RHSA-2023:1557 0 None None None 2023-04-04 06:55:20 UTC
Red Hat Product Errata RHSA-2023:1559 0 None None None 2023-04-04 06:55:35 UTC
Red Hat Product Errata RHSA-2023:1560 0 None None None 2023-04-04 06:54:53 UTC
Red Hat Product Errata RHSA-2023:1566 0 None None None 2023-04-04 09:21:41 UTC
Red Hat Product Errata RHSA-2023:1584 0 None None None 2023-04-04 09:05:21 UTC
Red Hat Product Errata RHSA-2023:1588 0 None None None 2023-04-04 09:07:35 UTC
Red Hat Product Errata RHSA-2023:1590 0 None None None 2023-04-04 09:07:46 UTC
Red Hat Product Errata RHSA-2023:1659 0 None None None 2023-04-05 14:05:53 UTC
Red Hat Product Errata RHSA-2023:1660 0 None None None 2023-04-05 13:43:09 UTC
Red Hat Product Errata RHSA-2023:1662 0 None None None 2023-04-05 13:43:00 UTC
Red Hat Product Errata RHSA-2023:1666 0 None None None 2023-04-05 16:16:38 UTC
Red Hat Product Errata RHSA-2023:1677 0 None None None 2023-04-10 01:30:34 UTC

Description Rohit Keshri 2023-01-23 10:30:14 UTC 
A use-after-free flaw was found in snd_ctl_elem_read in sound/core/control.c in Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. In this flaw a normal privileged, local attacker may impact the system due to a locking issue in the compat path, leading to a kernel information leak problem.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56b88b50565cd8b946a2d00b0c83927b7ebb055e
Comment 6 errata-xmlrpc 2023-03-14 13:53:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1202 https://access.redhat.com/errata/RHSA-2023:1202
Comment 7 errata-xmlrpc 2023-03-14 13:54:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1203 https://access.redhat.com/errata/RHSA-2023:1203
Comment 8 errata-xmlrpc 2023-03-23 09:03:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1435 https://access.redhat.com/errata/RHSA-2023:1435
Comment 9 errata-xmlrpc 2023-03-27 08:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1469 https://access.redhat.com/errata/RHSA-2023:1469
Comment 10 errata-xmlrpc 2023-03-27 08:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1471 https://access.redhat.com/errata/RHSA-2023:1471
Comment 11 errata-xmlrpc 2023-03-27 08:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1470 https://access.redhat.com/errata/RHSA-2023:1470
Comment 13 kechoi 2023-03-31 20:47:24 UTC 
A customer is waiting on a fix for RHEL 8.7. Will the fix be backported to RHEL 8? Are there any mitigation steps available?
Comment 16 errata-xmlrpc 2023-04-04 06:52:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1556 https://access.redhat.com/errata/RHSA-2023:1556
Comment 17 errata-xmlrpc 2023-04-04 06:53:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1554 https://access.redhat.com/errata/RHSA-2023:1554
Comment 18 errata-xmlrpc 2023-04-04 06:54:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1560 https://access.redhat.com/errata/RHSA-2023:1560
Comment 19 errata-xmlrpc 2023-04-04 06:55:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1557 https://access.redhat.com/errata/RHSA-2023:1557
Comment 20 errata-xmlrpc 2023-04-04 06:55:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1559 https://access.redhat.com/errata/RHSA-2023:1559
Comment 21 errata-xmlrpc 2023-04-04 09:05:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1584 https://access.redhat.com/errata/RHSA-2023:1584
Comment 22 errata-xmlrpc 2023-04-04 09:07:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1588 https://access.redhat.com/errata/RHSA-2023:1588
Comment 23 errata-xmlrpc 2023-04-04 09:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1590 https://access.redhat.com/errata/RHSA-2023:1590
Comment 24 errata-xmlrpc 2023-04-04 09:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1566 https://access.redhat.com/errata/RHSA-2023:1566
Comment 25 Rohit Keshri 2023-04-04 12:20:24 UTC 
In reply to comment #13:
> A customer is waiting on a fix for RHEL 8.7. Will the fix be backported to
> RHEL 8? Are there any mitigation steps available?

Hello, Yes we has this fixed for RHEL 8.7, please refer to the CVE page as well for more information. Thank you.
Comment 26 errata-xmlrpc 2023-04-05 13:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1662 https://access.redhat.com/errata/RHSA-2023:1662
Comment 27 errata-xmlrpc 2023-04-05 13:43:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1660 https://access.redhat.com/errata/RHSA-2023:1660
Comment 28 errata-xmlrpc 2023-04-05 14:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1659 https://access.redhat.com/errata/RHSA-2023:1659
Comment 29 errata-xmlrpc 2023-04-05 16:16:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:1666 https://access.redhat.com/errata/RHSA-2023:1666
Comment 30 errata-xmlrpc 2023-04-10 01:30:31 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:1677 https://access.redhat.com/errata/RHSA-2023:1677
Comment 31 Marco Benatto 2023-04-10 13:01:29 UTC 
Closing this bug as most of the fixes were already delivered through erratas.
Note You need to log in before you can comment on or make changes to this bug.