From 785b96f8ba3974f62adeffb3be063afc8ffc7d6b Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Tue, 4 Dec 2018 10:02:50 -0600
Subject: Fix CVE-2018-19824 (rhbz 1655816 1655817)

---
 ...dio-fix-UAF-decrement-if-card-has-no-live.patch | 49 ++++++++++++++++++++++
 kernel.spec                                        |  6 +++
 2 files changed, 55 insertions(+)
 create mode 100644 alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch

diff --git a/alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch b/alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch
new file mode 100644
index 000000000..6dc9fa5d0
--- /dev/null
+++ b/alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch
@@ -0,0 +1,49 @@
+From 5f8cf712582617d523120df67d392059eaf2fc4b Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Mon, 3 Dec 2018 16:09:34 +0100
+Subject: ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in
+ card.c
+
+If a USB sound card reports 0 interfaces, an error condition is triggered
+and the function usb_audio_probe errors out. In the error path, there was a
+use-after-free vulnerability where the memory object of the card was first
+freed, followed by a decrement of the number of active chips. Moving the
+decrement above the atomic_dec fixes the UAF.
+
+[ The original problem was introduced in 3.1 kernel, while it was
+  developed in a different form.  The Fixes tag below indicates the
+  original commit but it doesn't mean that the patch is applicable
+  cleanly. -- tiwai ]
+
+Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/card.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 2bfe4e80a6b9..a105947eaf55 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -682,9 +682,12 @@ static int usb_audio_probe(struct usb_interface *intf,
+ 
+  __error:
+ 	if (chip) {
++		/* chip->active is inside the chip->card object,
++		 * decrement before memory is possibly returned.
++		 */
++		atomic_dec(&chip->active);
+ 		if (!chip->num_interfaces)
+ 			snd_card_free(chip->card);
+-		atomic_dec(&chip->active);
+ 	}
+ 	mutex_unlock(&register_mutex);
+ 	return err;
+-- 
+cgit 1.2-0.3.lf.el7
+
diff --git a/kernel.spec b/kernel.spec
index 2e772477b..b2a5486bf 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -651,6 +651,9 @@ Patch516: asus-fx503-keyb.patch
 # rbhz 1554304 patch in the sound tree and Cc'd for stable
 Patch517: ALSA-hda-realtek-Fix-speaker-output-regression-on-Thinkpad.patch
 
+# CVE-2018-19824 rhbz 1655816 1655817
+Patch518: alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1912,6 +1915,9 @@ fi
 #
 #
 %changelog
+* Tue Dec 04 2018 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2018-19824 (rhbz 1655816 1655817)
+
 * Mon Dec 03 2018 Jeremy Cline <jeremy@jcline.org>
 - Fix very quiet speakers on the Thinkpad T570 (rhbz 1554304)
 
-- 
cgit