ALSA: CVE-2018-19824

ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c References: https://nvd.nist.gov/vuln/detail/CVE-2018-19824 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=19f74e45746253cafb8cb1e773041e7cadbac622 Change-Id: Iee9eb9ca550408dde865a8ff08385e7c337ed763 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-02-04 14:12:51 +0100
committer: Andreas Wellving <andreas.wellving@enea.com> 2019-02-04 14:12:51 +0100
commit: e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba (patch)
tree: 732ff87366ff7f0e52222df4d940b0cf6ea43052
parent: 4122d7341425209be538c71dffed6043659d683b (diff)
download: enea-kernel-cache-e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba.tar.gz
2 files changed, 57 insertions, 1 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index e1a218f..a33811b 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -15,4 +15,4 @@ patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch
 patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
 #CVEs fixed in 4.14.88:
 patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
+patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
diff --git a/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
new file mode 100644
index 0000000..01df831
--- /dev/null
+++ b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
@@ -0,0 +1,56 @@
+From 19f74e45746253cafb8cb1e773041e7cadbac622 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Mon, 3 Dec 2018 16:09:34 +0100
+Subject: [PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live
+ interfaces in card.c
+commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.
+If a USB sound card reports 0 interfaces, an error condition is triggered
+and the function usb_audio_probe errors out. In the error path, there was a
+use-after-free vulnerability where the memory object of the card was first
+freed, followed by a decrement of the number of active chips. Moving the
+decrement above the atomic_dec fixes the UAF.
+[ The original problem was introduced in 3.1 kernel, while it was
+  developed in a different form.  The Fixes tag below indicates the
+  original commit but it doesn't mean that the patch is applicable
+  cleanly. -- tiwai ]
+CVE: CVE-2018-19824
+Upstream-Status: Backport
+Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ sound/usb/card.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 23d1d23aefec..4169c71f8a32 100644
+--- a/sound/usb/card.c
+++ b/sound/usb/card.c
+@@ -644,9 +644,12 @@ static int usb_audio_probe(struct usb_interface *intf,
+ 
+  __error:
+        if (chip) {
+               /* chip->active is inside the chip->card object,
+                * decrement before memory is possibly returned.
+                */
+               atomic_dec(&chip->active);
+                if (!chip->num_interfaces)
+                        snd_card_free(chip->card);
+-               atomic_dec(&chip->active);
+        }
+        mutex_unlock(&register_mutex);
+        return err;
+-- 
+2.19.2
author	Andreas Wellving <andreas.wellving@enea.com>	2019-02-04 14:12:51 +0100
committer	Andreas Wellving <andreas.wellving@enea.com>	2019-02-04 14:12:51 +0100
commit	e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba (patch)
tree	732ff87366ff7f0e52222df4d940b0cf6ea43052
parent	4122d7341425209be538c71dffed6043659d683b (diff)
download	enea-kernel-cache-e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba.tar.gz

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index e1a218f..a33811b 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc
@@ -15,4 +15,4 @@ patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch
15	patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch	15	patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch
16	#CVEs fixed in 4.14.88:	16	#CVEs fixed in 4.14.88:
17	patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch	17	patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch
18		18	patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch


diff --git a/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch new file mode 100644 index 0000000..01df831 --- /dev/null +++ b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
@@ -0,0 +1,56 @@
		1	From 19f74e45746253cafb8cb1e773041e7cadbac622 Mon Sep 17 00:00:00 2001
		2	From: Hui Peng <benquike@gmail.com>
		3	Date: Mon, 3 Dec 2018 16:09:34 +0100
		4	Subject: [PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live
		5	interfaces in card.c
		6
		7	commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.
		8
		9	If a USB sound card reports 0 interfaces, an error condition is triggered
		10	and the function usb_audio_probe errors out. In the error path, there was a
		11	use-after-free vulnerability where the memory object of the card was first
		12	freed, followed by a decrement of the number of active chips. Moving the
		13	decrement above the atomic_dec fixes the UAF.
		14
		15	[ The original problem was introduced in 3.1 kernel, while it was
		16	developed in a different form. The Fixes tag below indicates the
		17	original commit but it doesn't mean that the patch is applicable
		18	cleanly. -- tiwai ]
		19
		20	CVE: CVE-2018-19824
		21	Upstream-Status: Backport
		22
		23	Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
		24	Reported-by: Hui Peng <benquike@gmail.com>
		25	Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
		26	Signed-off-by: Hui Peng <benquike@gmail.com>
		27	Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
		28	Cc: <stable@vger.kernel.org>
		29	Signed-off-by: Takashi Iwai <tiwai@suse.de>
		30	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		31	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		32	---
		33	sound/usb/card.c \| 5 ++++-
		34	1 file changed, 4 insertions(+), 1 deletion(-)
		35
		36	diff --git a/sound/usb/card.c b/sound/usb/card.c
		37	index 23d1d23aefec..4169c71f8a32 100644
		38	--- a/sound/usb/card.c
		39	+++ b/sound/usb/card.c
		40	@@ -644,9 +644,12 @@ static int usb_audio_probe(struct usb_interface *intf,
		41
		42	__error:
		43	if (chip) {
		44	+ /* chip->active is inside the chip->card object,
		45	+ * decrement before memory is possibly returned.
		46	+ */
		47	+ atomic_dec(&chip->active);
		48	if (!chip->num_interfaces)
		49	snd_card_free(chip->card);
		50	- atomic_dec(&chip->active);
		51	}
		52	mutex_unlock(&register_mutex);
		53	return err;
		54	--
		55	2.19.2
		56