ALSA: CVE-2014-4656

Handle numid overflow Make sure that id->index does not overflow References: http://www.openwall.com/lists/oss-security/2014/06/26/6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4656 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-09-02 13:37:23 +0200
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-09-06 15:12:45 +0800
commit: fb7fe3a81e654f38b03c437aa94f1d0d7cb25960 (patch)
tree: 694d1b3f32b1a9411b70ee9a1373035fc01385ee
parent: 5eeeb3ad74b72d904f805bc6e248e93e722b45c4 (diff)
download: meta-fsl-ppc-fb7fe3a81e654f38b03c437aa94f1d0d7cb25960.tar.gz
3 files changed, 91 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
new file mode 100644
index 0000000..9859025
--- /dev/null
+++ b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
@@ -0,0 +1,43 @@
+From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 18 Jun 2014 13:32:35 +0200
+Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow
+commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
+The ALSA control code expects that the range of assigned indices to a control is
+continuous and does not overflow. Currently there are no checks to enforce this.
+If a control with a overflowing index range is created that control becomes
+effectively inaccessible and unremovable since snd_ctl_find_id() will not be
+able to find it. This patch adds a check that makes sure that controls with a
+overflowing index range can not be created.
+Fixes CVE-2014-4656
+Upstream-Status: Backport
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/core/control.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 93215b4..98a29b2 100644
+--- a/sound/core/control.c
+++ b/sound/core/control.c
+@@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
+        if (snd_BUG_ON(!card || !kcontrol->info))
+                goto error;
+        id = kcontrol->id;
+       if (id.index > UINT_MAX - kcontrol->count)
+               goto error;
+
+        down_write(&card->controls_rwsem);
+        if (snd_ctl_find_id(card, &id)) {
+                up_write(&card->controls_rwsem);
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
new file mode 100644
index 0000000..2065780
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
@@ -0,0 +1,46 @@
+From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 18 Jun 2014 13:32:34 +0200
+Subject: [PATCH] ALSA: control: Handle numid overflow
+commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
+Each control gets automatically assigned its numids when the control is created.
+The allocation is done by incrementing the numid by the amount of allocated
+numids per allocation. This means that excessive creation and destruction of
+controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
+eventually overflow. Currently when this happens for the control that caused the
+overflow kctl->id.numid + kctl->count will also over flow causing it to be
+smaller than kctl->id.numid. Most of the code assumes that this is something
+that can not happen, so we need to make sure that it won't happen
+Fixes CVE-2014-4656
+Upstream-Status: Backport
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/core/control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/sound/core/control.c b/sound/core/control.c
+index d4a597f..93215b4 100644
+--- a/sound/core/control.c
+++ b/sound/core/control.c
+@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
+ {
+        struct snd_kcontrol *kctl;
+ 
+       /* Make sure that the ids assigned to the control do not wrap around */
+       if (card->last_numid >= UINT_MAX - count)
+               card->last_numid = 0;
+
+        list_for_each_entry(kctl, &card->controls, list) {
+                if (kctl->id.numid < card->last_numid + 1 + count &&
+                    kctl->id.numid + kctl->count > card->last_numid + 1) {
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 5c67dc3..de11046 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -27,6 +27,8 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://0002-ALSA-CVE-2014-4653.patch \
    file://sctp-CVE-2014-4667.patch \
    file://sctp-CVE-2014-7841.patch \
+    file://0001-ALSA-CVE-2014-4656.patch \
+    file://0002-ALSA-CVE-2014-4656.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-09-02 13:37:23 +0200
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-09-06 15:12:45 +0800
commit	fb7fe3a81e654f38b03c437aa94f1d0d7cb25960 (patch)
tree	694d1b3f32b1a9411b70ee9a1373035fc01385ee
parent	5eeeb3ad74b72d904f805bc6e248e93e722b45c4 (diff)
download	meta-fsl-ppc-fb7fe3a81e654f38b03c437aa94f1d0d7cb25960.tar.gz

diff --git a/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch new file mode 100644 index 0000000..9859025 --- /dev/null +++ b/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch
@@ -0,0 +1,43 @@
		1	From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001
		2	From: Lars-Peter Clausen <lars@metafoo.de>
		3	Date: Wed, 18 Jun 2014 13:32:35 +0200
		4	Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow
		5
		6	commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
		7
		8	The ALSA control code expects that the range of assigned indices to a control is
		9	continuous and does not overflow. Currently there are no checks to enforce this.
		10	If a control with a overflowing index range is created that control becomes
		11	effectively inaccessible and unremovable since snd_ctl_find_id() will not be
		12	able to find it. This patch adds a check that makes sure that controls with a
		13	overflowing index range can not be created.
		14
		15	Fixes CVE-2014-4656
		16	Upstream-Status: Backport
		17
		18	Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
		19	Acked-by: Jaroslav Kysela <perex@perex.cz>
		20	Signed-off-by: Takashi Iwai <tiwai@suse.de>
		21	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	sound/core/control.c \| 3 +++
		25	1 file changed, 3 insertions(+)
		26
		27	diff --git a/sound/core/control.c b/sound/core/control.c
		28	index 93215b4..98a29b2 100644
		29	--- a/sound/core/control.c
		30	+++ b/sound/core/control.c
		31	@@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card card, struct snd_kcontrol kcontrol)
		32	if (snd_BUG_ON(!card \|\| !kcontrol->info))
		33	goto error;
		34	id = kcontrol->id;
		35	+ if (id.index > UINT_MAX - kcontrol->count)
		36	+ goto error;
		37	+
		38	down_write(&card->controls_rwsem);
		39	if (snd_ctl_find_id(card, &id)) {
		40	up_write(&card->controls_rwsem);
		41	--
		42	1.9.1
		43


diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch new file mode 100644 index 0000000..2065780 --- /dev/null +++ b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
@@ -0,0 +1,46 @@
		1	From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
		2	From: Lars-Peter Clausen <lars@metafoo.de>
		3	Date: Wed, 18 Jun 2014 13:32:34 +0200
		4	Subject: [PATCH] ALSA: control: Handle numid overflow
		5
		6	commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
		7
		8	Each control gets automatically assigned its numids when the control is created.
		9	The allocation is done by incrementing the numid by the amount of allocated
		10	numids per allocation. This means that excessive creation and destruction of
		11	controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
		12	eventually overflow. Currently when this happens for the control that caused the
		13	overflow kctl->id.numid + kctl->count will also over flow causing it to be
		14	smaller than kctl->id.numid. Most of the code assumes that this is something
		15	that can not happen, so we need to make sure that it won't happen
		16
		17	Fixes CVE-2014-4656
		18	Upstream-Status: Backport
		19
		20	Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
		21	Acked-by: Jaroslav Kysela <perex@perex.cz>
		22	Signed-off-by: Takashi Iwai <tiwai@suse.de>
		23	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		24	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		25	---
		26	sound/core/control.c \| 4 ++++
		27	1 file changed, 4 insertions(+)
		28
		29	diff --git a/sound/core/control.c b/sound/core/control.c
		30	index d4a597f..93215b4 100644
		31	--- a/sound/core/control.c
		32	+++ b/sound/core/control.c
		33	@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
		34	{
		35	struct snd_kcontrol *kctl;
		36
		37	+ /* Make sure that the ids assigned to the control do not wrap around */
		38	+ if (card->last_numid >= UINT_MAX - count)
		39	+ card->last_numid = 0;
		40	+
		41	list_for_each_entry(kctl, &card->controls, list) {
		42	if (kctl->id.numid < card->last_numid + 1 + count &&
		43	kctl->id.numid + kctl->count > card->last_numid + 1) {
		44	--
		45	1.9.1
		46


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 5c67dc3..de11046 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -27,6 +27,8 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
27	file://0002-ALSA-CVE-2014-4653.patch \	27	file://0002-ALSA-CVE-2014-4653.patch \
28	file://sctp-CVE-2014-4667.patch \	28	file://sctp-CVE-2014-4667.patch \
29	file://sctp-CVE-2014-7841.patch \	29	file://sctp-CVE-2014-7841.patch \
		30	file://0001-ALSA-CVE-2014-4656.patch \
		31	file://0002-ALSA-CVE-2014-4656.patch \
30	"	32	"
31	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	33	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
32		34