From e8c309fe8becda3d5d7c95cdfc685e2f38ccc3ba Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 4 Feb 2019 14:12:51 +0100 Subject: ALSA: CVE-2018-19824 ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c References: https://nvd.nist.gov/vuln/detail/CVE-2018-19824 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=19f74e45746253cafb8cb1e773041e7cadbac622 Change-Id: Iee9eb9ca550408dde865a8ff08385e7c337ed763 Signed-off-by: Andreas Wellving --- patches/cve/4.14.x.scc | 2 +- ...dio-Fix-UAF-decrement-if-card-has-no-live.patch | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index e1a218f..a33811b 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc @@ -15,4 +15,4 @@ patch CVE-2018-19407-KVM-X86-Fix-scan-ioapic-use-before-initialization.patch patch CVE-2018-18397-userfaultfd-use-ENOENT-instead-of-EFAULT-if-the-atom.patch #CVEs fixed in 4.14.88: patch CVE-2018-14625-vhost-vsock-fix-use-after-free-in-network-stack-call.patch - +patch CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch diff --git a/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch new file mode 100644 index 0000000..01df831 --- /dev/null +++ b/patches/cve/CVE-2018-19824-ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch @@ -0,0 +1,56 @@ +From 19f74e45746253cafb8cb1e773041e7cadbac622 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Mon, 3 Dec 2018 16:09:34 +0100 +Subject: [PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live + interfaces in card.c + +commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream. + +If a USB sound card reports 0 interfaces, an error condition is triggered +and the function usb_audio_probe errors out. In the error path, there was a +use-after-free vulnerability where the memory object of the card was first +freed, followed by a decrement of the number of active chips. Moving the +decrement above the atomic_dec fixes the UAF. + +[ The original problem was introduced in 3.1 kernel, while it was + developed in a different form. The Fixes tag below indicates the + original commit but it doesn't mean that the patch is applicable + cleanly. -- tiwai ] + +CVE: CVE-2018-19824 +Upstream-Status: Backport + +Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") +Reported-by: Hui Peng +Reported-by: Mathias Payer +Signed-off-by: Hui Peng +Signed-off-by: Mathias Payer +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + sound/usb/card.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/card.c b/sound/usb/card.c +index 23d1d23aefec..4169c71f8a32 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -644,9 +644,12 @@ static int usb_audio_probe(struct usb_interface *intf, + + __error: + if (chip) { ++ /* chip->active is inside the chip->card object, ++ * decrement before memory is possibly returned. ++ */ ++ atomic_dec(&chip->active); + if (!chip->num_interfaces) + snd_card_free(chip->card); +- atomic_dec(&chip->active); + } + mutex_unlock(®ister_mutex); + return err; +-- +2.19.2 + -- cgit v1.2.3-54-g00ecf