From a7b0d91e02b8df4b56325b22bc3aafd5253baa3a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 10 May 2016 08:16:35 -0400 Subject: CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645) --- ...imer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch | 33 +++++++++++++++++++++ ...Fix-leak-in-events-via-snd_timer_user_cca.patch | 34 ++++++++++++++++++++++ ...Fix-leak-in-events-via-snd_timer_user_tin.patch | 34 ++++++++++++++++++++++ kernel.spec | 8 +++++ 4 files changed, 109 insertions(+) create mode 100644 ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch create mode 100644 ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch create mode 100644 ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch new file mode 100644 index 000000000..3eb8bf183 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch @@ -0,0 +1,33 @@ +From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:07 -0400 +Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “tread” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 6469bedda2f3..964f5ebf495e 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file, + if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { + if (tu->tread) { + struct snd_timer_tread tread; ++ memset(&tread, 0, sizeof(tread)); + tread.event = SNDRV_TIMER_EVENT_EARLY; + tread.tstamp.tv_sec = 0; + tread.tstamp.tv_nsec = 0; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch new file mode 100644 index 000000000..e6f46f8a8 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch @@ -0,0 +1,34 @@ +From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:20 -0400 +Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via + snd_timer_user_ccallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 964f5ebf495e..e98fa5feb731 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, + tu->tstamp = *tstamp; + if ((tu->filter & (1 << event)) == 0 || !tu->tread) + return; ++ memset(&r1, 0, sizeof(r1)); + r1.event = event; + r1.tstamp = *tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch new file mode 100644 index 000000000..7851c55a2 --- /dev/null +++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch @@ -0,0 +1,34 @@ +From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:44:32 -0400 +Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via + snd_timer_user_tinterrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stack object “r1” has a total size of 32 bytes. Its field +“event” and “val” both contain 4 bytes padding. These 8 bytes +padding bytes are sent to user without being initialized. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index e98fa5feb731..c69a27155433 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri, + } + if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) && + tu->last_resolution != resolution) { ++ memset(&r1, 0, sizeof(r1)); + r1.event = SNDRV_TIMER_EVENT_RESOLUTION; + r1.tstamp = tstamp; + r1.val = resolution; +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 182e0a27e..9db76e260 100644 --- a/kernel.spec +++ b/kernel.spec @@ -667,6 +667,11 @@ Patch712: bpf-fix-refcnt-overflow.patch #rhbz 1328633 Patch713: sp5100_tco-properly-check-for-new-register-layouts.patch +#CVE-2016-4569 rhbz 1334643 1334645 +Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch +Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch +Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch + # END OF PATCH DEFINITIONS %endif @@ -2188,6 +2193,9 @@ fi # # %changelog +* Tue May 10 2016 Josh Boyer +- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645) + * Mon May 09 2016 Justin M. Forbes - Fix ACPI issues with sp5100_tco (rhbz 1328633) -- cgit