diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-31 14:30:06 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-03-31 14:34:22 -0400 |
commit | 394fde452830e4487552df9e93c84e92bd226a9c (patch) | |
tree | f9efc36894db1f737ba78181350d5125eb56a0dc | |
parent | c1afd21fe4fd6f653b7d772054db84de239187c7 (diff) | |
download | kernel-394fde452830e4487552df9e93c84e92bd226a9c.tar.gz kernel-394fde452830e4487552df9e93c84e92bd226a9c.tar.xz kernel-394fde452830e4487552df9e93c84e92bd226a9c.zip |
Add two more patches for CVE-2016-2184
-rw-r--r-- | ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch | 100 | ||||
-rw-r--r-- | ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch | 62 | ||||
-rw-r--r-- | kernel.spec | 5 |
3 files changed, 167 insertions, 0 deletions
diff --git a/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch b/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch new file mode 100644 index 000000000..c1c72f9bf --- /dev/null +++ b/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch @@ -0,0 +1,100 @@ +From 1b9e866417f77622b03f5b9c4e2845133054e670 Mon Sep 17 00:00:00 2001 +From: Vladis Dronov <vdronov@redhat.com> +Date: Thu, 31 Mar 2016 12:05:43 -0400 +Subject: [PATCH 2/2] ALSA: usb-audio: Fix double-free in error paths after + snd_usb_add_audio_stream() call + +create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and +create_uaxx_quirk() functions allocate the audioformat object by themselves +and free it upon error before returning. However, once the object is linked +to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be +double-freed, eventually resulting in a memory corruption. + +This patch fixes these failures in the error paths by unlinking the audioformat +object before freeing it. + +Based on a patch by Takashi Iwai" <tiwai@suse.de> + +[Note for stable backports: + this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor + code cleanup in create_fixed_stream_quirk()')] + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358 +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Cc: <stable@vger.kernel.org> # see the note above +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + sound/usb/quirks.c | 4 ++++ + sound/usb/stream.c | 6 +++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 2f0bbc43f902..6f68ba9bda8a 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + usb_audio_err(chip, "cannot memdup\n"); + return -ENOMEM; + } ++ INIT_LIST_HEAD(&fp->list); + if (fp->nr_rates > MAX_NR_RATES) { + kfree(fp); + return -EINVAL; +@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + return 0; + + error: ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp); + kfree(rate_table); + return err; +@@ -468,6 +470,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip, + fp->ep_attr = get_endpoint(alts, 0)->bmAttributes; + fp->datainterval = 0; + fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize); ++ INIT_LIST_HEAD(&fp->list); + + switch (fp->maxpacksize) { + case 0x120: +@@ -491,6 +494,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip, + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp); + return err; + } +diff --git a/sound/usb/stream.c b/sound/usb/stream.c +index 8ee14f2365e7..3b23102230c0 100644 +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -316,7 +316,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, + /* + * add this endpoint to the chip instance. + * if a stream with the same endpoint already exists, append to it. +- * if not, create a new pcm stream. ++ * if not, create a new pcm stream. note, fp is added to the substream ++ * fmt_list and will be freed on the chip instance release. do not free ++ * fp or do remove it from the substream fmt_list to avoid double-free. + */ + int snd_usb_add_audio_stream(struct snd_usb_audio *chip, + int stream, +@@ -677,6 +679,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) + * (fp->maxpacksize & 0x7ff); + fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no); + fp->clock = clock; ++ INIT_LIST_HEAD(&fp->list); + + /* some quirks for attributes here */ + +@@ -725,6 +728,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) + dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint); + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp->rate_table); + kfree(fp->chmap); + kfree(fp); +-- +2.5.5 + diff --git a/ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch b/ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch new file mode 100644 index 000000000..65f88553b --- /dev/null +++ b/ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch @@ -0,0 +1,62 @@ +From aa6c68ed429ba354b904554d396326bfd9ab96bf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 15 Mar 2016 12:14:49 +0100 +Subject: [PATCH 1/2] ALSA: usb-audio: Minor code cleanup in + create_fixed_stream_quirk() + +Just a minor code cleanup: unify the error paths. + +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/usb/quirks.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index f2e4eebdf76d..2f0bbc43f902 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -167,23 +167,18 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + stream = (fp->endpoint & USB_DIR_IN) + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); +- if (err < 0) { +- kfree(fp); +- kfree(rate_table); +- return err; +- } ++ if (err < 0) ++ goto error; + if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber || + fp->altset_idx >= iface->num_altsetting) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); + if (altsd->bNumEndpoints < 1) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + + fp->protocol = altsd->bInterfaceProtocol; +@@ -196,6 +191,11 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip, + snd_usb_init_pitch(chip, fp->iface, alts, fp); + snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max); + return 0; ++ ++ error: ++ kfree(fp); ++ kfree(rate_table); ++ return err; + } + + static int create_auto_pcm_quirk(struct snd_usb_audio *chip, +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 2d102d24b..358fbe8e5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -633,6 +633,8 @@ Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch #CVE-2016-2184 rhbz 1317012 1317470 Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch +Patch667: ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch +Patch668: ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch #CVE-2016-3137 rhbz 1317010 1316996 Patch672: cypress_m8-add-sanity-checking.patch @@ -2119,6 +2121,9 @@ fi # # %changelog +* Thu Mar 31 2016 Josh Boyer <jwboyer@fedoraproject.org> +- Add two more patches for CVE-2016-2184 + * Wed Mar 30 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-301 - Bump and build |