Linux Kernel: ALSA: use-after-free Write in snd_rawmidi_kernel_write1

[butt3rflyh4ck <butterflyhuangxx () gmail com>]

Hi,
I reported a use-after-free bug in snd_rawmidi_kernel_write1 in
sound/core/rawmidi.c months ago. And I reproduced it in the latest version
linux-5.7.0 at that time.

Description:

It was found that the raw midi kernel driver does not protect
against concurrent access which leads to a use-after-free in
snd_rawmidi_kernel_read1() and snd_rawmidi_kernel_write1() in rawmidi.c
file.
A malicious local attacker could possibly use this for privilege
escalation.

Root Cause:

The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or writes:
the read/write functions unlock the runtime lock temporarily during copying
form/to user-space,
and that's the race window.

Patch for this issue:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d

CVE assigned:

not assigned.

Timeline:

*2020/5/7  - Vulnerability reported to security () kernel org.
*2020/5/7  - Vulnerability confirmed and patched.
*2020/5/18 - Request a CVE ID via https://cveform.mitre.org/
*2020/11/18 - CVE Request responded but not assigned.
*2020/11/18 - Reported to Red Hat.
*2020/12/1 - Opened on oss -security () lists openwall com

Credit:

This issue was discovered by the ADLab of venustech.


Regards.
 butt3rflyh4ck.