| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-48994: ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event |
| |
| With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), |
| indirect call targets are validated against the expected function |
| pointer prototype to make sure the call target is valid to help mitigate |
| ROP attacks. If they are not identical, there is a failure at run time, |
| which manifests as either a kernel panic or thread getting killed. |
| |
| seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes |
| matching snd_seq_dump_func_t. Adjust this and remove the casts. There |
| are not resulting binary output differences. |
| |
| This was found as a result of Clang's new -Wcast-function-type-strict |
| flag, which is more sensitive than the simpler -Wcast-function-type, |
| which only checks for type width mismatches. |
| |
| The Linux kernel CVE team has assigned CVE-2022-48994 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.9.336 with commit b38486e82ecb9f3046e0184205f6b61408fc40c9 |
| Fixed in 4.14.302 with commit e385360705a0b346bdb57ce938249175d0613b8a |
| Fixed in 4.19.269 with commit 2f46e95bf344abc4e74f8158901d32a869e0adb6 |
| Fixed in 5.4.227 with commit 63badfed200219ca656968725f1a43df293ac936 |
| Fixed in 5.10.159 with commit 15c42ab8d43acb73e2eba361ad05822c0af0ecfa |
| Fixed in 5.15.83 with commit fccd454129f6a0739651f7f58307cdb631fd6e89 |
| Fixed in 6.0.13 with commit 13ee8fb5410b740c8dd2867d3557c7662f7dda2d |
| Fixed in 6.1 with commit 05530ef7cf7c7d700f6753f058999b1b5099a026 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-48994 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| sound/core/seq/seq_memory.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/b38486e82ecb9f3046e0184205f6b61408fc40c9 |
| https://git.kernel.org/stable/c/e385360705a0b346bdb57ce938249175d0613b8a |
| https://git.kernel.org/stable/c/2f46e95bf344abc4e74f8158901d32a869e0adb6 |
| https://git.kernel.org/stable/c/63badfed200219ca656968725f1a43df293ac936 |
| https://git.kernel.org/stable/c/15c42ab8d43acb73e2eba361ad05822c0af0ecfa |
| https://git.kernel.org/stable/c/fccd454129f6a0739651f7f58307cdb631fd6e89 |
| https://git.kernel.org/stable/c/13ee8fb5410b740c8dd2867d3557c7662f7dda2d |
| https://git.kernel.org/stable/c/05530ef7cf7c7d700f6753f058999b1b5099a026 |
