Bug 2163379 (CVE-2023-0266) - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
Summary: CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
Keywords:
Status: NEW
Alias: CVE-2023-0266
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2125540 2163394 2163395 2163396 2163397 2163399 2163400 2163401 2163402 2163403 2163404 2163405 2163406 2163409 2163410 2163411 2163412 2163413 2175635 2163389 2163390 2163391 2163392 2163393 2163414 2163415
Blocks: 2162737
TreeView+ depends on / blocked
 
Reported: 2023-01-23 10:30 UTC by Rohit Keshri
Modified: 2023-04-01 08:44 UTC (History)
47 users (show)

Fixed In Version: Kernel 6.2 RC4
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the ALSA subsystem in sound/core/control.c in the Linux kernel. This flaw allows a local attacker to cause a use-after-free issue.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1531 0 None None None 2023-03-30 08:51:00 UTC
Red Hat Product Errata RHSA-2023:1202 0 None None None 2023-03-14 13:53:58 UTC
Red Hat Product Errata RHSA-2023:1203 0 None None None 2023-03-14 13:54:13 UTC
Red Hat Product Errata RHSA-2023:1435 0 None None None 2023-03-23 09:03:46 UTC
Red Hat Product Errata RHSA-2023:1469 0 None None None 2023-03-27 08:11:18 UTC
Red Hat Product Errata RHSA-2023:1470 0 None None None 2023-03-27 08:29:04 UTC
Red Hat Product Errata RHSA-2023:1471 0 None None None 2023-03-27 08:12:55 UTC

Description Rohit Keshri 2023-01-23 10:30:14 UTC 
A use-after-free bug was found in the ALSA subsystem. Taking rwsem
lock in snd_ctl_elem_read_user will cause a use-after-free bug.

This bug was introduced by commit 1fa4445 ("ALSA: control - introduce
snd_ctl_notify_one() helper")
in 5.13-rc1.

Fixed status
mainline: [56b88b50565cd8b946a2d00b0c83927b7ebb055e]
stable/4.19: [5b2ea7e91352165054c5b3f8e5442cd31c3e73f9]
stable/5.10: [df02234e6b87d2a9a82acd3198e44bdeff8488c6]
stable/5.15: [26350c21bc5e97a805af878e092eb8125843fe2c]
stable/6.1: [d6ad4bd1d896ae1daffd7628cd50f124280fb8b1]
Comment 6 errata-xmlrpc 2023-03-14 13:53:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1202 https://access.redhat.com/errata/RHSA-2023:1202
Comment 7 errata-xmlrpc 2023-03-14 13:54:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1203 https://access.redhat.com/errata/RHSA-2023:1203
Comment 8 errata-xmlrpc 2023-03-23 09:03:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1435 https://access.redhat.com/errata/RHSA-2023:1435
Comment 9 errata-xmlrpc 2023-03-27 08:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1469 https://access.redhat.com/errata/RHSA-2023:1469
Comment 10 errata-xmlrpc 2023-03-27 08:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1471 https://access.redhat.com/errata/RHSA-2023:1471
Comment 11 errata-xmlrpc 2023-03-27 08:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1470 https://access.redhat.com/errata/RHSA-2023:1470
Comment 13 kechoi 2023-03-31 20:47:24 UTC 
A customer is waiting on a fix for RHEL 8.7. Will the fix be backported to RHEL 8? Are there any mitigation steps available?
Note You need to log in before you can comment on or make changes to this bug.