diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:50:12 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:50:12 +0200 |
commit | 681b6e77b7ae8b95b8bcc70d29f9808e859be769 (patch) | |
tree | 3bc18449e81ba0f50f9b12eeba74b88eeb0c5691 | |
parent | fd3325b122c8985bc6d0e349e1aee278b56e2d73 (diff) | |
download | enea-kernel-cache-681b6e77b7ae8b95b8bcc70d29f9808e859be769.tar.gz |
ALSA: CVE-2018-10902
ALSA: rawmidi: Change resized buffers atomically
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e
Change-Id: Ie77efba9d2c800374a5713af455877de58bd47a6
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch | 89 |
2 files changed, 92 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 65206d1..f521594 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -21,3 +21,6 @@ SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patc | |||
21 | 21 | ||
22 | #CVEs fixed in 4.9.113: | 22 | #CVEs fixed in 4.9.113: |
23 | SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch" | 23 | SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch" |
24 | |||
25 | #CVEs fixed in 4.9.115: | ||
26 | SRC_URI += "file://CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch" | ||
diff --git a/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch b/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch new file mode 100644 index 0000000..7c9f4c5 --- /dev/null +++ b/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e Mon Sep 17 00:00:00 2001 | ||
2 | From: Takashi Iwai <tiwai@suse.de> | ||
3 | Date: Tue, 17 Jul 2018 17:26:43 +0200 | ||
4 | Subject: [PATCH] ALSA: rawmidi: Change resized buffers atomically | ||
5 | |||
6 | commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream. | ||
7 | |||
8 | The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the | ||
9 | current code is racy. For example, the sequencer client may write to | ||
10 | buffer while it being resized. | ||
11 | |||
12 | As a simple workaround, let's switch to the resized buffer inside the | ||
13 | stream runtime lock. | ||
14 | |||
15 | CVE: CVE-2018-10902 | ||
16 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e] | ||
17 | |||
18 | Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com | ||
19 | Cc: <stable@vger.kernel.org> | ||
20 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
22 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
23 | --- | ||
24 | sound/core/rawmidi.c | 20 ++++++++++++++------ | ||
25 | 1 file changed, 14 insertions(+), 6 deletions(-) | ||
26 | |||
27 | diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c | ||
28 | index 16f8124b1150..59111cadaec2 100644 | ||
29 | --- a/sound/core/rawmidi.c | ||
30 | +++ b/sound/core/rawmidi.c | ||
31 | @@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card, | ||
32 | int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, | ||
33 | struct snd_rawmidi_params * params) | ||
34 | { | ||
35 | - char *newbuf; | ||
36 | + char *newbuf, *oldbuf; | ||
37 | struct snd_rawmidi_runtime *runtime = substream->runtime; | ||
38 | |||
39 | if (substream->append && substream->use_count > 1) | ||
40 | @@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, | ||
41 | return -EINVAL; | ||
42 | } | ||
43 | if (params->buffer_size != runtime->buffer_size) { | ||
44 | - newbuf = krealloc(runtime->buffer, params->buffer_size, | ||
45 | - GFP_KERNEL); | ||
46 | + newbuf = kmalloc(params->buffer_size, GFP_KERNEL); | ||
47 | if (!newbuf) | ||
48 | return -ENOMEM; | ||
49 | + spin_lock_irq(&runtime->lock); | ||
50 | + oldbuf = runtime->buffer; | ||
51 | runtime->buffer = newbuf; | ||
52 | runtime->buffer_size = params->buffer_size; | ||
53 | runtime->avail = runtime->buffer_size; | ||
54 | + runtime->appl_ptr = runtime->hw_ptr = 0; | ||
55 | + spin_unlock_irq(&runtime->lock); | ||
56 | + kfree(oldbuf); | ||
57 | } | ||
58 | runtime->avail_min = params->avail_min; | ||
59 | substream->active_sensing = !params->no_active_sensing; | ||
60 | @@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params); | ||
61 | int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, | ||
62 | struct snd_rawmidi_params * params) | ||
63 | { | ||
64 | - char *newbuf; | ||
65 | + char *newbuf, *oldbuf; | ||
66 | struct snd_rawmidi_runtime *runtime = substream->runtime; | ||
67 | |||
68 | snd_rawmidi_drain_input(substream); | ||
69 | @@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, | ||
70 | return -EINVAL; | ||
71 | } | ||
72 | if (params->buffer_size != runtime->buffer_size) { | ||
73 | - newbuf = krealloc(runtime->buffer, params->buffer_size, | ||
74 | - GFP_KERNEL); | ||
75 | + newbuf = kmalloc(params->buffer_size, GFP_KERNEL); | ||
76 | if (!newbuf) | ||
77 | return -ENOMEM; | ||
78 | + spin_lock_irq(&runtime->lock); | ||
79 | + oldbuf = runtime->buffer; | ||
80 | runtime->buffer = newbuf; | ||
81 | runtime->buffer_size = params->buffer_size; | ||
82 | + runtime->appl_ptr = runtime->hw_ptr = 0; | ||
83 | + spin_unlock_irq(&runtime->lock); | ||
84 | + kfree(oldbuf); | ||
85 | } | ||
86 | runtime->avail_min = params->avail_min; | ||
87 | return 0; | ||
88 | |||
89 | |||