cve/published/2024/CVE-2024-38605.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38605: ALSA: core: Fix NULL module pointer assignment at card init

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ALSA: core: Fix NULL module pointer assignment at card init

 The commit 81033c6b584b ("ALSA: core: Warn on empty module")
 introduced a WARN_ON() for a NULL module pointer passed at snd_card
 object creation, and it also wraps the code around it with '#ifdef
 MODULE'.  This works in most cases, but the devils are always in
 details.  "MODULE" is defined when the target code (i.e. the sound
 core) is built as a module; but this doesn't mean that the caller is
 also built-in or not.  Namely, when only the sound core is built-in
 (CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),
 the passed module pointer is ignored even if it's non-NULL, and
 card->module remains as NULL.  This would result in the missing module
 reference up/down at the device open/close, leading to a race with the
 code execution after the module removal.

 For addressing the bug, move the assignment of card->module again out
 of ifdef.  The WARN_ON() is still wrapped with ifdef because the
 module can be really NULL when all sound drivers are built-in.

 Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would
 lead to a false-positive NULL module check.  Admittedly it won't catch
 perfectly, i.e. no check is performed when CONFIG_SND=y.  But, it's no
 real problem as it's only for debugging, and the condition is pretty
 rare.

 The Linux kernel CVE team has assigned CVE-2024-38605 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 5.10.219 with commit d7ff29a429b56f04783152ad7bbd7233b740e434
 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 5.15.161 with commit e7e0ca200772bdb2fdc6d43d32d341e87a36f811
 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.1.93 with commit e007476725730c1a68387b54b7629486d8a8301e
 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.6.33 with commit e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92
 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.8.12 with commit c935e72139e6d523defd60fe875c01eb1f9ea5c5
 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.9.3 with commit 6b8374ee2cabcf034faa34e69a855dc496a9ec12
 	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.10 with commit 39381fe7394e5eafac76e7e9367e7351138a29c1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38605
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	sound/core/init.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434
 	https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811
 	https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e
 	https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92
 	https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5
 	https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12
 	https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38605: ALSA: core: Fix NULL module pointer assignment at card init

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ALSA: core: Fix NULL module pointer assignment at card init

	The commit 81033c6b584b ("ALSA: core: Warn on empty module")
	introduced a WARN_ON() for a NULL module pointer passed at snd_card
	object creation, and it also wraps the code around it with '#ifdef
	MODULE'. This works in most cases, but the devils are always in
	details. "MODULE" is defined when the target code (i.e. the sound
	core) is built as a module; but this doesn't mean that the caller is
	also built-in or not. Namely, when only the sound core is built-in
	(CONFIG_SND=y) while the driver is a module (CONFIG_SND_USB_AUDIO=m),
	the passed module pointer is ignored even if it's non-NULL, and
	card->module remains as NULL. This would result in the missing module
	reference up/down at the device open/close, leading to a race with the
	code execution after the module removal.

	For addressing the bug, move the assignment of card->module again out
	of ifdef. The WARN_ON() is still wrapped with ifdef because the
	module can be really NULL when all sound drivers are built-in.

	Note that we keep 'ifdef MODULE' for WARN_ON(), otherwise it would
	lead to a false-positive NULL module check. Admittedly it won't catch
	perfectly, i.e. no check is performed when CONFIG_SND=y. But, it's no
	real problem as it's only for debugging, and the condition is pretty
	rare.

	The Linux kernel CVE team has assigned CVE-2024-38605 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 5.10.219 with commit d7ff29a429b56f04783152ad7bbd7233b740e434
	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 5.15.161 with commit e7e0ca200772bdb2fdc6d43d32d341e87a36f811
	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.1.93 with commit e007476725730c1a68387b54b7629486d8a8301e
	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.6.33 with commit e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92
	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.8.12 with commit c935e72139e6d523defd60fe875c01eb1f9ea5c5
	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.9.3 with commit 6b8374ee2cabcf034faa34e69a855dc496a9ec12
	Issue introduced in 5.9 with commit 81033c6b584b44514cbb16fffc26ca29a0fa6270 and fixed in 6.10 with commit 39381fe7394e5eafac76e7e9367e7351138a29c1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38605
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	sound/core/init.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d7ff29a429b56f04783152ad7bbd7233b740e434
	https://git.kernel.org/stable/c/e7e0ca200772bdb2fdc6d43d32d341e87a36f811
	https://git.kernel.org/stable/c/e007476725730c1a68387b54b7629486d8a8301e
	https://git.kernel.org/stable/c/e644036a3e2b2c9b3eee3c61b5d31c2ca8b5ba92
	https://git.kernel.org/stable/c/c935e72139e6d523defd60fe875c01eb1f9ea5c5
	https://git.kernel.org/stable/c/6b8374ee2cabcf034faa34e69a855dc496a9ec12
	https://git.kernel.org/stable/c/39381fe7394e5eafac76e7e9367e7351138a29c1