summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch34
-rw-r--r--kernel.spec6
2 files changed, 40 insertions, 0 deletions
diff --git a/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
new file mode 100644
index 000000000..c59d68361
--- /dev/null
+++ b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
@@ -0,0 +1,34 @@
+From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index cc39f63299ef..007cf5831121 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ else
+ err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ if (err < 0) {
+- snd_usbmidi_free(umidi);
+ return err;
+ }
+
+--
+2.5.0
+
diff --git a/kernel.spec b/kernel.spec
index d73173fa3..57b2e8aad 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -631,6 +631,9 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
#CVE-2016-0617 rhbz 1305803 1305804
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
+#CVE-2016-2384 rhbz 1308444 1308445
+Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2074,6 +2077,9 @@ fi
#
#
%changelog
+* Mon Feb 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)
+
* Fri Feb 12 2016 Laura Abbott <labbott@fedoraproject.org>
- Turn off W+X warnings (rhbz 1306885)