Add another patch for CVE-2016-2184

2 files changed, 106 insertions, 0 deletions

diff --git a/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch b/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
new file mode 100644
index 000000000..c1c72f9bf
--- /dev/null
+++ b/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
@@ -0,0 +1,100 @@
+From 1b9e866417f77622b03f5b9c4e2845133054e670 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Thu, 31 Mar 2016 12:05:43 -0400
+Subject: [PATCH 2/2] ALSA: usb-audio: Fix double-free in error paths after
+ snd_usb_add_audio_stream() call
+
+create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
+create_uaxx_quirk() functions allocate the audioformat object by themselves
+and free it upon error before returning. However, once the object is linked
+to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
+double-freed, eventually resulting in a memory corruption.
+
+This patch fixes these failures in the error paths by unlinking the audioformat
+object before freeing it.
+
+Based on a patch by Takashi Iwai" <tiwai@suse.de>
+
+[Note for stable backports:
+ this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
+ code cleanup in create_fixed_stream_quirk()')]
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: <stable@vger.kernel.org> # see the note above
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ sound/usb/quirks.c | 4 ++++
+ sound/usb/stream.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 2f0bbc43f902..6f68ba9bda8a 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 		usb_audio_err(chip, "cannot memdup\n");
+ 		return -ENOMEM;
+ 	}
++	INIT_LIST_HEAD(&fp->list);
+ 	if (fp->nr_rates > MAX_NR_RATES) {
+ 		kfree(fp);
+ 		return -EINVAL;
+@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	return 0;
+ 
+  error:
++	list_del(&fp->list); /* unlink for avoiding double-free */
+ 	kfree(fp);
+ 	kfree(rate_table);
+ 	return err;
+@@ -468,6 +470,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
+ 	fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
+ 	fp->datainterval = 0;
+ 	fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
++	INIT_LIST_HEAD(&fp->list);
+ 
+ 	switch (fp->maxpacksize) {
+ 	case 0x120:
+@@ -491,6 +494,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
+ 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+ 	err = snd_usb_add_audio_stream(chip, stream, fp);
+ 	if (err < 0) {
++		list_del(&fp->list); /* unlink for avoiding double-free */
+ 		kfree(fp);
+ 		return err;
+ 	}
+diff --git a/sound/usb/stream.c b/sound/usb/stream.c
+index 8ee14f2365e7..3b23102230c0 100644
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -316,7 +316,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
+ /*
+  * add this endpoint to the chip instance.
+  * if a stream with the same endpoint already exists, append to it.
+- * if not, create a new pcm stream.
++ * if not, create a new pcm stream. note, fp is added to the substream
++ * fmt_list and will be freed on the chip instance release. do not free
++ * fp or do remove it from the substream fmt_list to avoid double-free.
+  */
+ int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ 			     int stream,
+@@ -677,6 +679,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
+ 					* (fp->maxpacksize & 0x7ff);
+ 		fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
+ 		fp->clock = clock;
++		INIT_LIST_HEAD(&fp->list);
+ 
+ 		/* some quirks for attributes here */
+ 
+@@ -725,6 +728,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
+ 		dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
+ 		err = snd_usb_add_audio_stream(chip, stream, fp);
+ 		if (err < 0) {
++			list_del(&fp->list); /* unlink for avoiding double-free */
+ 			kfree(fp->rate_table);
+ 			kfree(fp->chmap);
+ 			kfree(fp);
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 213da785f..f1bb672dc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -619,6 +619,9 @@ Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
 #CVE-2016-3134 rhbz 1317383 1317384
 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 
+#CVE-2016-2184 rhbz 1317012 1317470
+Patch668: ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
+
 #CVE-2016-3137 rhbz 1317010 1316996
 Patch672: cypress_m8-add-sanity-checking.patch
 
@@ -2164,6 +2167,9 @@ fi
 #
 # 
 %changelog
+* Thu Mar 31 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Add another patch for CVE-2016-2184
+
 * Wed Mar 30 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Fix undefined __always_inline in exported headers (rhbz 1321749)
 - Make sure to install objtool in -devel subpackage if it exists (rhbz 1321628)