diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 14:12:51 +0100 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2019-02-04 14:12:51 +0100 |
commit | e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba (patch) | |
tree | 732ff87366ff7f0e52222df4d940b0cf6ea43052 /patches | |
parent | 4122d7341425209be538c71dffed6043659d683b (diff) | |
download | enea-kernel-cache-e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba.tar.gz |
ALSA: CVE-2018-19824
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-19824
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=19f74e45746253cafb8cb1e773041e7cadbac622
Change-Id: Iee9eb9ca550408dde865a8ff08385e7c337ed763
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Diffstat (limited to 'patches')
-rw-r--r-- | patches/cve/4.14.x.scc | 2 | ||||
-rw-r--r-- | patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch | 56 |
2 files changed, 57 insertions, 1 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index e1a218f..a33811b 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
@@ -15,4 +15,4 @@ patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch | |||
15 | patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch | 15 | patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch |
16 | #CVEs fixed in 4.14.88: | 16 | #CVEs fixed in 4.14.88: |
17 | patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch | 17 | patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch |
18 | 18 | patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch | |
diff --git a/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch new file mode 100644 index 0000000..01df831 --- /dev/null +++ b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 19f74e45746253cafb8cb1e773041e7cadbac622 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hui Peng <benquike@gmail.com> | ||
3 | Date: Mon, 3 Dec 2018 16:09:34 +0100 | ||
4 | Subject: [PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live | ||
5 | interfaces in card.c | ||
6 | |||
7 | commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream. | ||
8 | |||
9 | If a USB sound card reports 0 interfaces, an error condition is triggered | ||
10 | and the function usb_audio_probe errors out. In the error path, there was a | ||
11 | use-after-free vulnerability where the memory object of the card was first | ||
12 | freed, followed by a decrement of the number of active chips. Moving the | ||
13 | decrement above the atomic_dec fixes the UAF. | ||
14 | |||
15 | [ The original problem was introduced in 3.1 kernel, while it was | ||
16 | developed in a different form. The Fixes tag below indicates the | ||
17 | original commit but it doesn't mean that the patch is applicable | ||
18 | cleanly. -- tiwai ] | ||
19 | |||
20 | CVE: CVE-2018-19824 | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") | ||
24 | Reported-by: Hui Peng <benquike@gmail.com> | ||
25 | Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> | ||
26 | Signed-off-by: Hui Peng <benquike@gmail.com> | ||
27 | Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> | ||
28 | Cc: <stable@vger.kernel.org> | ||
29 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
30 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
31 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
32 | --- | ||
33 | sound/usb/card.c | 5 ++++- | ||
34 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/sound/usb/card.c b/sound/usb/card.c | ||
37 | index 23d1d23aefec..4169c71f8a32 100644 | ||
38 | --- a/sound/usb/card.c | ||
39 | +++ b/sound/usb/card.c | ||
40 | @@ -644,9 +644,12 @@ static int usb_audio_probe(struct usb_interface *intf, | ||
41 | |||
42 | __error: | ||
43 | if (chip) { | ||
44 | + /* chip->active is inside the chip->card object, | ||
45 | + * decrement before memory is possibly returned. | ||
46 | + */ | ||
47 | + atomic_dec(&chip->active); | ||
48 | if (!chip->num_interfaces) | ||
49 | snd_card_free(chip->card); | ||
50 | - atomic_dec(&chip->active); | ||
51 | } | ||
52 | mutex_unlock(®ister_mutex); | ||
53 | return err; | ||
54 | -- | ||
55 | 2.19.2 | ||
56 | |||