cve/published/2022/CVE-2022-49272.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49272: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock

 syzbot caught a potential deadlock between the PCM
 runtime->buffer_mutex and the mm->mmap_lock.  It was brought by the
 recent fix to cover the racy read/write and other ioctls, and in that
 commit, I overlooked a (hopefully only) corner case that may take the
 revert lock, namely, the OSS mmap.  The OSS mmap operation
 exceptionally allows to re-configure the parameters inside the OSS
 mmap syscall, where mm->mmap_mutex is already held.  Meanwhile, the
 copy_from/to_user calls at read/write operations also take the
 mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.

 A similar problem was already seen in the past and we fixed it with a
 refcount (in commit b248371628aa).  The former fix covered only the
 call paths with OSS read/write and OSS ioctls, while we need to cover
 the concurrent access via both ALSA and OSS APIs now.

 This patch addresses the problem above by replacing the buffer_mutex
 lock in the read/write operations with a refcount similar as we've
 used for OSS.  The new field, runtime->buffer_accessing, keeps the
 number of concurrent read/write operations.  Unlike the former
 buffer_mutex protection, this protects only around the
 copy_from/to_user() calls; the other codes are basically protected by
 the PCM stream lock.  The refcount can be a negative, meaning blocked
 by the ioctls.  If a negative value is seen, the read/write aborts
 with -EBUSY.  In the ioctl side, OTOH, they check this refcount, too,
 and set to a negative value for blocking unless it's already being
 accessed.

 The Linux kernel CVE team has assigned CVE-2022-49272 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.109 with commit 8527c8f052fb42091c6569cb928e472376a4a889 and fixed in 5.10.110 with commit 9017201e8d8c6d1472273361389ed431188584a0
 	Issue introduced in 5.15.32 with commit 47711ff10c7e126702cfa725f6d86ef529d15a5f and fixed in 5.15.33 with commit 7777744e92a0b30e3e0cce2758d911837011ebd9
 	Issue introduced in 5.16.18 with commit 4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5 and fixed in 5.16.19 with commit abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e
 	Issue introduced in 5.17.1 with commit dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03 and fixed in 5.17.2 with commit be9813ad2fc8f0885f5ce6925af0d993ce5da4e5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49272
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/sound/pcm.h
 	sound/core/pcm.c
 	sound/core/pcm_lib.c
 	sound/core/pcm_native.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4
 	https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595
 	https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d
 	https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0
 	https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9
 	https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e
 	https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5
 	https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49272: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock

	syzbot caught a potential deadlock between the PCM
	runtime->buffer_mutex and the mm->mmap_lock. It was brought by the
	recent fix to cover the racy read/write and other ioctls, and in that
	commit, I overlooked a (hopefully only) corner case that may take the
	revert lock, namely, the OSS mmap. The OSS mmap operation
	exceptionally allows to re-configure the parameters inside the OSS
	mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the
	copy_from/to_user calls at read/write operations also take the
	mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.

	A similar problem was already seen in the past and we fixed it with a
	refcount (in commit b248371628aa). The former fix covered only the
	call paths with OSS read/write and OSS ioctls, while we need to cover
	the concurrent access via both ALSA and OSS APIs now.

	This patch addresses the problem above by replacing the buffer_mutex
	lock in the read/write operations with a refcount similar as we've
	used for OSS. The new field, runtime->buffer_accessing, keeps the
	number of concurrent read/write operations. Unlike the former
	buffer_mutex protection, this protects only around the
	copy_from/to_user() calls; the other codes are basically protected by
	the PCM stream lock. The refcount can be a negative, meaning blocked
	by the ioctls. If a negative value is seen, the read/write aborts
	with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,
	and set to a negative value for blocking unless it's already being
	accessed.

	The Linux kernel CVE team has assigned CVE-2022-49272 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.109 with commit 8527c8f052fb42091c6569cb928e472376a4a889 and fixed in 5.10.110 with commit 9017201e8d8c6d1472273361389ed431188584a0
	Issue introduced in 5.15.32 with commit 47711ff10c7e126702cfa725f6d86ef529d15a5f and fixed in 5.15.33 with commit 7777744e92a0b30e3e0cce2758d911837011ebd9
	Issue introduced in 5.16.18 with commit 4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5 and fixed in 5.16.19 with commit abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e
	Issue introduced in 5.17.1 with commit dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03 and fixed in 5.17.2 with commit be9813ad2fc8f0885f5ce6925af0d993ce5da4e5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49272
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/sound/pcm.h
	sound/core/pcm.c
	sound/core/pcm_lib.c
	sound/core/pcm_native.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4
	https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595
	https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d
	https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0
	https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9
	https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e
	https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5
	https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433