CVE-2023-53275

The variable codec->regmap is often protected by the lock codec->regmaplock when is accessed. However, it is accessed without holding the lock when is accessed in sndhdacregmapsync():

if (codec->regmap)

In my opinion, this may be a harmful race, because if codec->regmap is set to NULL right after the condition is checked, a null-pointer dereference can occur in the called function regcache_sync():

map->lock(map->lock_arg); --> Line 360 in drivers/base/regmap/regcache.c

To fix this possible null-pointer dereference caused by data race, the mutexlock coverage is extended to protect the if statement as well as the function call to regcachesync().

[ Note: the lack of the regmaplock itself is harmless for the current codec driver implementations, as sndhdacregmapsync() is only for PM runtime resume that is prohibited during the codec probe. But the change makes the whole code more consistent, so it's merged as is -- tiwai ]

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53275.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

69d5dc286d05441ca2f854ae8df11201f6f9b706

Fixed

109f0aaa0b8838a88af9125b79579023539300a7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1a462be52f4505a2719631fb5aa7bfdbd37bfd8d

Fixed

9f9eed451176ffcac6b5ba0f6dae1a6b4a1cb0eb

Fixed

8703b26387e1fa4f8749db98d24c67617b873acb

Fixed

cdd412b528dee6e0851c4735d6676ec138da13a4

Fixed

b32e40379e5b2814de0c4bc199edc2d82317dc07

Fixed

1f4a08fed450db87fbb5ff5105354158bdbe1a22

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53275.json"