cve/published/2025/CVE-2025-23134.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-23134: ALSA: timer: Don't take register_mutex with copy_from/to_user()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ALSA: timer: Don't take register_mutex with copy_from/to_user()

 The infamous mmap_lock taken in copy_from/to_user() can be often
 problematic when it's called inside another mutex, as they might lead
 to deadlocks.

 In the case of ALSA timer code, the bad pattern is with
 guard(mutex)(&register_mutex) that covers copy_from/to_user() -- which
 was mistakenly introduced at converting to guard(), and it had been
 carefully worked around in the past.

 This patch fixes those pieces simply by moving copy_from/to_user() out
 of the register mutex lock again.

 The Linux kernel CVE team has assigned CVE-2025-23134 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.12.23 with commit 15291b561d8cc835a2eea76b394070cf8e072771
 	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.13.11 with commit 296f7a9e15aab276db11206cbc1e2ae1215d7862
 	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.14.2 with commit b074f47e55df93832bbbca1b524c501e6fea1c0d
 	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.15 with commit 3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-23134
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	sound/core/timer.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/15291b561d8cc835a2eea76b394070cf8e072771
 	https://git.kernel.org/stable/c/296f7a9e15aab276db11206cbc1e2ae1215d7862
 	https://git.kernel.org/stable/c/b074f47e55df93832bbbca1b524c501e6fea1c0d
 	https://git.kernel.org/stable/c/3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-23134: ALSA: timer: Don't take register_mutex with copy_from/to_user()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ALSA: timer: Don't take register_mutex with copy_from/to_user()

	The infamous mmap_lock taken in copy_from/to_user() can be often
	problematic when it's called inside another mutex, as they might lead
	to deadlocks.

	In the case of ALSA timer code, the bad pattern is with
	guard(mutex)(&register_mutex) that covers copy_from/to_user() -- which
	was mistakenly introduced at converting to guard(), and it had been
	carefully worked around in the past.

	This patch fixes those pieces simply by moving copy_from/to_user() out
	of the register mutex lock again.

	The Linux kernel CVE team has assigned CVE-2025-23134 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.12.23 with commit 15291b561d8cc835a2eea76b394070cf8e072771
	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.13.11 with commit 296f7a9e15aab276db11206cbc1e2ae1215d7862
	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.14.2 with commit b074f47e55df93832bbbca1b524c501e6fea1c0d
	Issue introduced in 6.9 with commit 3923de04c81733b30b8ed667569632272fdfed9a and fixed in 6.15 with commit 3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-23134
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	sound/core/timer.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/15291b561d8cc835a2eea76b394070cf8e072771
	https://git.kernel.org/stable/c/296f7a9e15aab276db11206cbc1e2ae1215d7862
	https://git.kernel.org/stable/c/b074f47e55df93832bbbca1b524c501e6fea1c0d
	https://git.kernel.org/stable/c/3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6