diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-02-15 08:28:02 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-02-15 08:31:38 -0500 |
| commit | debee96e5ec8b261067388815e9a744733f3a478 (patch) | |
| tree | 6a92cdc3c50cd1f86eb644f4d52523492a7877a4 | |
| parent | 568b33d005418cf0437540f76752179f5e952adf (diff) | |
| download | kernel-debee96e5ec8b261067388815e9a744733f3a478.tar.gz kernel-debee96e5ec8b261067388815e9a744733f3a478.tar.xz kernel-debee96e5ec8b261067388815e9a744733f3a478.zip | |
CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)
| -rw-r--r-- | ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch | 34 | ||||
| -rw-r--r-- | kernel.spec | 6 |
2 files changed, 40 insertions, 0 deletions
diff --git a/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch new file mode 100644 index 000000000..c59d68361 --- /dev/null +++ b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch @@ -0,0 +1,34 @@ +From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov <andreyknvl@gmail.com> +Date: Sat, 13 Feb 2016 11:08:06 +0300 +Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice + +The 'umidi' object will be free'd on the error path by snd_usbmidi_free() +when tearing down the rawmidi interface. So we shouldn't try to free it +in snd_usbmidi_create() after having registered the rawmidi interface. + +Found by KASAN. + +Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com> +Acked-by: Clemens Ladisch <clemens@ladisch.de> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/usb/midi.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index cc39f63299ef..007cf5831121 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card, + else + err = snd_usbmidi_create_endpoints(umidi, endpoints); + if (err < 0) { +- snd_usbmidi_free(umidi); + return err; + } + +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index d73173fa3..57b2e8aad 100644 --- a/kernel.spec +++ b/kernel.spec @@ -631,6 +631,9 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch #CVE-2016-0617 rhbz 1305803 1305804 Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch +#CVE-2016-2384 rhbz 1308444 1308445 +Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch + # END OF PATCH DEFINITIONS %endif @@ -2074,6 +2077,9 @@ fi # # %changelog +* Mon Feb 15 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445) + * Fri Feb 12 2016 Laura Abbott <labbott@fedoraproject.org> - Turn off W+X warnings (rhbz 1306885) |