diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-10-18 09:59:03 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2017-10-18 09:59:03 +0200 |
commit | 5381008fa790a255c78fedb409f41b7d5052b033 (patch) | |
tree | 63b0220583f91731544586ab3f166fec3ee59def | |
parent | fcd4661ee6ba328fd359ecdced1fc1f9915bb4e7 (diff) | |
parent | 3118e0a1c805b1013905ddbef521341496272554 (diff) | |
download | kernel-5381008fa790a255c78fedb409f41b7d5052b033.tar.gz kernel-5381008fa790a255c78fedb409f41b7d5052b033.tar.xz kernel-5381008fa790a255c78fedb409f41b7d5052b033.zip |
Merge remote-tracking branch 'origin/f26' into f26-user-thl-vanilla-fedora
-rw-r--r-- | 0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch | 140 | ||||
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | sources | 2 |
3 files changed, 149 insertions, 1 deletions
diff --git a/0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch b/0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch new file mode 100644 index 000000000..d04add8aa --- /dev/null +++ b/0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch @@ -0,0 +1,140 @@ +From 71105998845fb012937332fe2e806d443c09e026 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Mon, 9 Oct 2017 11:09:20 +0200 +Subject: [PATCH] ALSA: seq: Fix use-after-free at creating a port + +There is a potential race window opened at creating and deleting a +port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates +a port object and returns its pointer, but it doesn't take the +refcount, thus it can be deleted immediately by another thread. +Meanwhile, snd_seq_ioctl_create_port() still calls the function +snd_seq_system_client_ev_port_start() with the created port object +that is being deleted, and this triggers use-after-free like: + + BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 + ============================================================================= + BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected + ----------------------------------------------------------------------------- + INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 + ___slab_alloc+0x425/0x460 + __slab_alloc+0x20/0x40 + kmem_cache_alloc_trace+0x150/0x190 + snd_seq_create_port+0x94/0x9b0 [snd_seq] + snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] + snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + snd_seq_ioctl+0x40/0x80 [snd_seq] + do_vfs_ioctl+0x54b/0xda0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x16/0x75 + INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 + __slab_free+0x204/0x310 + kfree+0x15f/0x180 + port_delete+0x136/0x1a0 [snd_seq] + snd_seq_delete_port+0x235/0x350 [snd_seq] + snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] + snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + snd_seq_ioctl+0x40/0x80 [snd_seq] + do_vfs_ioctl+0x54b/0xda0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x16/0x75 + Call Trace: + [<ffffffff81b03781>] dump_stack+0x63/0x82 + [<ffffffff81531b3b>] print_trailer+0xfb/0x160 + [<ffffffff81536db4>] object_err+0x34/0x40 + [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520 + [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] + [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30 + [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] + [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] + [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0 + [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq] + [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80 + [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0 + ..... + +We may fix this in a few different ways, and in this patch, it's fixed +simply by taking the refcount properly at snd_seq_create_port() and +letting the caller unref the object after use. Also, there is another +potential use-after-free by sprintf() call in snd_seq_create_port(), +and this is moved inside the lock. + +This fix covers CVE-2017-15265. + +Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com> +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/core/seq/seq_clientmgr.c | 6 +++++- + sound/core/seq/seq_ports.c | 7 +++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index ea2d0ae85bd3..6c9cba2166d9 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg) + struct snd_seq_port_info *info = arg; + struct snd_seq_client_port *port; + struct snd_seq_port_callback *callback; ++ int port_idx; + + /* it is not allowed to create the port for an another client */ + if (info->addr.client != client->number) +@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg) + return -ENOMEM; + + if (client->type == USER_CLIENT && info->kernel) { +- snd_seq_delete_port(client, port->addr.port); ++ port_idx = port->addr.port; ++ snd_seq_port_unlock(port); ++ snd_seq_delete_port(client, port_idx); + return -EINVAL; + } + if (client->type == KERNEL_CLIENT) { +@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg) + + snd_seq_set_port_info(port, info); + snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port); ++ snd_seq_port_unlock(port); + + return 0; + } +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index 0a7020c82bfc..d21ece9f8d73 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp) + } + + +-/* create a port, port number is returned (-1 on failure) */ ++/* create a port, port number is returned (-1 on failure); ++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately ++ */ + struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, + int port) + { +@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, + snd_use_lock_init(&new_port->use_lock); + port_subs_info_init(&new_port->c_src); + port_subs_info_init(&new_port->c_dest); ++ snd_use_lock_use(&new_port->use_lock); + + num = port >= 0 ? port : 0; + mutex_lock(&client->ports_mutex); +@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, + list_add_tail(&new_port->list, &p->list); + client->num_ports++; + new_port->addr.port = num; /* store the port number in the port */ ++ sprintf(new_port->name, "port-%d", num); + write_unlock_irqrestore(&client->ports_lock, flags); + mutex_unlock(&client->ports_mutex); +- sprintf(new_port->name, "port-%d", num); + + return new_port; + } +-- +2.13.5 + diff --git a/kernel.spec b/kernel.spec index 774b6afc5..9b9d95b1f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -712,6 +712,9 @@ Patch630: Input-synaptics---Disable-kernel-tracking-on-SMBus-devices.patch # Headed upstream Patch631: drm-i915-boost-GPU-clocks-if-we-miss-the-pageflip.patch +# CVE-2017-15265 rhbz 1501878 1501880 +Patch633: 0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch + # END OF PATCH DEFINITIONS %endif @@ -2289,6 +2292,11 @@ fi # # %changelog +* Mon Oct 16 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.13.7-200 +- Linux v4.13.7 +- Fixes CVE-2017-5123 (rhbz 1500094 1501762) +- Fix CVE-2017-15265 (rhbz 1501878 1501880) + * Thu Oct 12 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.13.6-200 - Linux v4.13.6 - Fixes CVE-2017-1000255 (rhbz 1498067 1500335) @@ -1,3 +1,3 @@ SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03 -SHA512 (patch-4.13.6.xz) = 40e111f3969b622f982bfb75f8c35aa59d9989a627a4511d8e0090b0c7bbcafcc90567434f5166ef2d17831f0beddb52762107e523414523e1877f67f66ca3f7 +SHA512 (patch-4.13.7.xz) = 4d96c655ca4c720b872e1a88ba9989a419880cb5fec2a4a9190077588066f205c5dce2591a76f26375f6f50001334ceb7631d489d3b24ca443d10e1e6879ed54 |