ALSA: CVE-2018-10902

ALSA: rawmidi: Change resized buffers atomically Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e Change-Id: Ie77efba9d2c800374a5713af455877de58bd47a6 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:50:12 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:50:12 +0200
commit: 681b6e77b7ae8b95b8bcc70d29f9808e859be769 (patch)
tree: 3bc18449e81ba0f50f9b12eeba74b88eeb0c5691
parent: fd3325b122c8985bc6d0e349e1aee278b56e2d73 (diff)
download: enea-kernel-cache-681b6e77b7ae8b95b8bcc70d29f9808e859be769.tar.gz
2 files changed, 92 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 65206d1..f521594 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -21,3 +21,6 @@ SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patc
 #CVEs fixed in 4.9.113:
 SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch"
+#CVEs fixed in 4.9.115:
+SRC_URI += "file://CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch"
diff --git a/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch b/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch
new file mode 100644
index 0000000..7c9f4c5
--- /dev/null
+++ b/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch
@@ -0,0 +1,89 @@
+From c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Jul 2018 17:26:43 +0200
+Subject: [PATCH] ALSA: rawmidi: Change resized buffers atomically
+commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream.
+The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
+current code is racy.  For example, the sequencer client may write to
+buffer while it being resized.
+As a simple workaround, let's switch to the resized buffer inside the
+stream runtime lock.
+CVE: CVE-2018-10902
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e]
+Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ sound/core/rawmidi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
+index 16f8124b1150..59111cadaec2 100644
+--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
+@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card,
+ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
+                              struct snd_rawmidi_params * params)
+ {
+-       char *newbuf;
+       char *newbuf, *oldbuf;
+        struct snd_rawmidi_runtime *runtime = substream->runtime;
+        
+        if (substream->append && substream->use_count > 1)
+@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
+                return -EINVAL;
+        }
+        if (params->buffer_size != runtime->buffer_size) {
+-               newbuf = krealloc(runtime->buffer, params->buffer_size,
+-                                 GFP_KERNEL);
+               newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
+                if (!newbuf)
+                        return -ENOMEM;
+               spin_lock_irq(&runtime->lock);
+               oldbuf = runtime->buffer;
+                runtime->buffer = newbuf;
+                runtime->buffer_size = params->buffer_size;
+                runtime->avail = runtime->buffer_size;
+               runtime->appl_ptr = runtime->hw_ptr = 0;
+               spin_unlock_irq(&runtime->lock);
+               kfree(oldbuf);
+        }
+        runtime->avail_min = params->avail_min;
+        substream->active_sensing = !params->no_active_sensing;
+@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params);
+ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
+                             struct snd_rawmidi_params * params)
+ {
+-       char *newbuf;
+       char *newbuf, *oldbuf;
+        struct snd_rawmidi_runtime *runtime = substream->runtime;
+ 
+        snd_rawmidi_drain_input(substream);
+@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
+                return -EINVAL;
+        }
+        if (params->buffer_size != runtime->buffer_size) {
+-               newbuf = krealloc(runtime->buffer, params->buffer_size,
+-                                 GFP_KERNEL);
+               newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
+                if (!newbuf)
+                        return -ENOMEM;
+               spin_lock_irq(&runtime->lock);
+               oldbuf = runtime->buffer;
+                runtime->buffer = newbuf;
+                runtime->buffer_size = params->buffer_size;
+               runtime->appl_ptr = runtime->hw_ptr = 0;
+               spin_unlock_irq(&runtime->lock);
+               kfree(oldbuf);
+        }
+        runtime->avail_min = params->avail_min;
+        return 0;
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:50:12 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:50:12 +0200
commit	681b6e77b7ae8b95b8bcc70d29f9808e859be769 (patch)
tree	3bc18449e81ba0f50f9b12eeba74b88eeb0c5691
parent	fd3325b122c8985bc6d0e349e1aee278b56e2d73 (diff)
download	enea-kernel-cache-681b6e77b7ae8b95b8bcc70d29f9808e859be769.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 65206d1..f521594 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -21,3 +21,6 @@ SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patc
21		21
22	#CVEs fixed in 4.9.113:	22	#CVEs fixed in 4.9.113:
23	SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch"	23	SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch"
		24
		25	#CVEs fixed in 4.9.115:
		26	SRC_URI += "file://CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch"


diff --git a/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch b/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch new file mode 100644 index 0000000..7c9f4c5 --- /dev/null +++ b/patches/cve/CVE-2018-10902-ALSA-rawmidi-Change-resized-buffers-atomically.patch
@@ -0,0 +1,89 @@
		1	From c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e Mon Sep 17 00:00:00 2001
		2	From: Takashi Iwai <tiwai@suse.de>
		3	Date: Tue, 17 Jul 2018 17:26:43 +0200
		4	Subject: [PATCH] ALSA: rawmidi: Change resized buffers atomically
		5
		6	commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream.
		7
		8	The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
		9	current code is racy. For example, the sequencer client may write to
		10	buffer while it being resized.
		11
		12	As a simple workaround, let's switch to the resized buffer inside the
		13	stream runtime lock.
		14
		15	CVE: CVE-2018-10902
		16	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=c4f094deb3d69dcc8b4e3dc6c056c1e62a72c33e]
		17
		18	Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
		19	Cc: <stable@vger.kernel.org>
		20	Signed-off-by: Takashi Iwai <tiwai@suse.de>
		21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		22	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		23	---
		24	sound/core/rawmidi.c \| 20 ++++++++++++++------
		25	1 file changed, 14 insertions(+), 6 deletions(-)
		26
		27	diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
		28	index 16f8124b1150..59111cadaec2 100644
		29	--- a/sound/core/rawmidi.c
		30	+++ b/sound/core/rawmidi.c
		31	@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user(struct snd_card *card,
		32	int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
		33	struct snd_rawmidi_params * params)
		34	{
		35	- char *newbuf;
		36	+ char newbuf, oldbuf;
		37	struct snd_rawmidi_runtime *runtime = substream->runtime;
		38
		39	if (substream->append && substream->use_count > 1)
		40	@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
		41	return -EINVAL;
		42	}
		43	if (params->buffer_size != runtime->buffer_size) {
		44	- newbuf = krealloc(runtime->buffer, params->buffer_size,
		45	- GFP_KERNEL);
		46	+ newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
		47	if (!newbuf)
		48	return -ENOMEM;
		49	+ spin_lock_irq(&runtime->lock);
		50	+ oldbuf = runtime->buffer;
		51	runtime->buffer = newbuf;
		52	runtime->buffer_size = params->buffer_size;
		53	runtime->avail = runtime->buffer_size;
		54	+ runtime->appl_ptr = runtime->hw_ptr = 0;
		55	+ spin_unlock_irq(&runtime->lock);
		56	+ kfree(oldbuf);
		57	}
		58	runtime->avail_min = params->avail_min;
		59	substream->active_sensing = !params->no_active_sensing;
		60	@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params);
		61	int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
		62	struct snd_rawmidi_params * params)
		63	{
		64	- char *newbuf;
		65	+ char newbuf, oldbuf;
		66	struct snd_rawmidi_runtime *runtime = substream->runtime;
		67
		68	snd_rawmidi_drain_input(substream);
		69	@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
		70	return -EINVAL;
		71	}
		72	if (params->buffer_size != runtime->buffer_size) {
		73	- newbuf = krealloc(runtime->buffer, params->buffer_size,
		74	- GFP_KERNEL);
		75	+ newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
		76	if (!newbuf)
		77	return -ENOMEM;
		78	+ spin_lock_irq(&runtime->lock);
		79	+ oldbuf = runtime->buffer;
		80	runtime->buffer = newbuf;
		81	runtime->buffer_size = params->buffer_size;
		82	+ runtime->appl_ptr = runtime->hw_ptr = 0;
		83	+ spin_unlock_irq(&runtime->lock);
		84	+ kfree(oldbuf);
		85	}
		86	runtime->avail_min = params->avail_min;
		87	return 0;
		88
		89