kernel-ALSA: CVE-2016-2384

Fixes double-free in usb-audio triggered by invalid USB descriptor (in the linux-qoriq-3.12). Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2384 Reference to the upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=563b627dbd698b2ae2f385718f1682ec20a51119 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-04-14 14:40:15 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2016-04-15 15:18:24 +0200
commit: c3127da4e79258a68d5b9c6d1fbfb5f2e5e97fcb (patch)
tree: 62707f14cc7135c99def80964ef07b6623af9716
parent: fcf7696db59deb585129b0d4739ba6eab499617e (diff)
download: meta-enea-c3127da4e79258a68d5b9c6d1fbfb5f2e5e97fcb.tar.gz
2 files changed, 41 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq-3.12/ALSA-CVE-2016-2384.patch b/recipes-kernel/linux/linux-qoriq-3.12/ALSA-CVE-2016-2384.patch
new file mode 100644
index 0000000..44a81ca
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/ALSA-CVE-2016-2384.patch
@@ -0,0 +1,40 @@
+From 563b627dbd698b2ae2f385718f1682ec20a51119 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: ALSA: usb-audio: avoid freeing umidi object twice
+commit 07d86ca93db7e5cdf4743564d98292042ec21af7 upstream.
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+Found by KASAN.
+CVE: CVE-2016-2384
+Upstream-Status: Backport
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index 9123fc5..424c1e8 100644
+--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
+@@ -2365,7 +2365,6 @@ int snd_usbmidi_create(struct snd_card *card,
+        else
+                err = snd_usbmidi_create_endpoints(umidi, endpoints);
+        if (err < 0) {
+-               snd_usbmidi_free(umidi);
+                return err;
+        }
+ 
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 76a6ac8..44b4ff5 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -27,6 +27,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
    file://CVE-2015-3636.patch \
    file://net-unix-CVE-2013-7446.patch \
    file://ALSA-CVE-2016-2546.patch \
+    file://ALSA-CVE-2016-2384.patch \
    "
 SRC_URI += "file://cfg/00013-localversion.cfg \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-04-14 14:40:15 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2016-04-15 15:18:24 +0200
commit	c3127da4e79258a68d5b9c6d1fbfb5f2e5e97fcb (patch)
tree	62707f14cc7135c99def80964ef07b6623af9716
parent	fcf7696db59deb585129b0d4739ba6eab499617e (diff)
download	meta-enea-c3127da4e79258a68d5b9c6d1fbfb5f2e5e97fcb.tar.gz

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/ALSA-CVE-2016-2384.patch b/recipes-kernel/linux/linux-qoriq-3.12/ALSA-CVE-2016-2384.patch new file mode 100644 index 0000000..44a81ca --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq-3.12/ALSA-CVE-2016-2384.patch
@@ -0,0 +1,40 @@
		1	From 563b627dbd698b2ae2f385718f1682ec20a51119 Mon Sep 17 00:00:00 2001
		2	From: Andrey Konovalov <andreyknvl@gmail.com>
		3	Date: Sat, 13 Feb 2016 11:08:06 +0300
		4	Subject: ALSA: usb-audio: avoid freeing umidi object twice
		5
		6	commit 07d86ca93db7e5cdf4743564d98292042ec21af7 upstream.
		7
		8	The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
		9	when tearing down the rawmidi interface. So we shouldn't try to free it
		10	in snd_usbmidi_create() after having registered the rawmidi interface.
		11
		12	Found by KASAN.
		13
		14	CVE: CVE-2016-2384
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
		18	Acked-by: Clemens Ladisch <clemens@ladisch.de>
		19	Signed-off-by: Takashi Iwai <tiwai@suse.de>
		20	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		22	---
		23	sound/usb/midi.c \| 1 -
		24	1 file changed, 1 deletion(-)
		25
		26	diff --git a/sound/usb/midi.c b/sound/usb/midi.c
		27	index 9123fc5..424c1e8 100644
		28	--- a/sound/usb/midi.c
		29	+++ b/sound/usb/midi.c
		30	@@ -2365,7 +2365,6 @@ int snd_usbmidi_create(struct snd_card *card,
		31	else
		32	err = snd_usbmidi_create_endpoints(umidi, endpoints);
		33	if (err < 0) {
		34	- snd_usbmidi_free(umidi);
		35	return err;
		36	}
		37
		38	--
		39	cgit v0.12
		40


diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 76a6ac8..44b4ff5 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -27,6 +27,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
27	file://CVE-2015-3636.patch \	27	file://CVE-2015-3636.patch \
28	file://net-unix-CVE-2013-7446.patch \	28	file://net-unix-CVE-2013-7446.patch \
29	file://ALSA-CVE-2016-2546.patch \	29	file://ALSA-CVE-2016-2546.patch \
		30	file://ALSA-CVE-2016-2384.patch \
30	"	31	"
31		32
32	SRC_URI += "file://cfg/00013-localversion.cfg \	33	SRC_URI += "file://cfg/00013-localversion.cfg \