diff options
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2546.patch | 128 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 |
3 files changed, 130 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2546.patch b/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2546.patch new file mode 100644 index 0000000..c17a22f --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2546.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From ac905ca58370789645e813d8abfa5871c93e9e36 Mon Sep 17 00:00:00 2001 | ||
2 | From: Takashi Iwai <tiwai@suse.de> | ||
3 | Date: Wed, 13 Jan 2016 17:48:01 +0100 | ||
4 | Subject: ALSA: timer: Fix race among timer ioctls | ||
5 | |||
6 | commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. | ||
7 | |||
8 | ALSA timer ioctls have an open race and this may lead to a | ||
9 | use-after-free of timer instance object. A simplistic fix is to make | ||
10 | each ioctl exclusive. We have already tread_sem for controlling the | ||
11 | tread, and extend this as a global mutex to be applied to each ioctl. | ||
12 | |||
13 | The downside is, of course, the worse concurrency. But these ioctls | ||
14 | aren't to be parallel accessible, in anyway, so it should be fine to | ||
15 | serialize there. | ||
16 | |||
17 | CVE: CVE-2016-2546 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | ||
21 | Tested-by: Dmitry Vyukov <dvyukov@google.com> | ||
22 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
25 | --- | ||
26 | sound/core/timer.c | 32 +++++++++++++++++++------------- | ||
27 | 1 file changed, 19 insertions(+), 13 deletions(-) | ||
28 | |||
29 | diff --git a/sound/core/timer.c b/sound/core/timer.c | ||
30 | index 149d4f2..f5ec1ba 100644 | ||
31 | --- a/sound/core/timer.c | ||
32 | +++ b/sound/core/timer.c | ||
33 | @@ -73,7 +73,7 @@ struct snd_timer_user { | ||
34 | struct timespec tstamp; /* trigger tstamp */ | ||
35 | wait_queue_head_t qchange_sleep; | ||
36 | struct fasync_struct *fasync; | ||
37 | - struct mutex tread_sem; | ||
38 | + struct mutex ioctl_lock; | ||
39 | }; | ||
40 | |||
41 | /* list of timers */ | ||
42 | @@ -1263,7 +1263,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file) | ||
43 | return -ENOMEM; | ||
44 | spin_lock_init(&tu->qlock); | ||
45 | init_waitqueue_head(&tu->qchange_sleep); | ||
46 | - mutex_init(&tu->tread_sem); | ||
47 | + mutex_init(&tu->ioctl_lock); | ||
48 | tu->ticks = 1; | ||
49 | tu->queue_size = 128; | ||
50 | tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), | ||
51 | @@ -1283,8 +1283,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) | ||
52 | if (file->private_data) { | ||
53 | tu = file->private_data; | ||
54 | file->private_data = NULL; | ||
55 | + mutex_lock(&tu->ioctl_lock); | ||
56 | if (tu->timeri) | ||
57 | snd_timer_close(tu->timeri); | ||
58 | + mutex_unlock(&tu->ioctl_lock); | ||
59 | kfree(tu->queue); | ||
60 | kfree(tu->tqueue); | ||
61 | kfree(tu); | ||
62 | @@ -1522,7 +1524,6 @@ static int snd_timer_user_tselect(struct file *file, | ||
63 | int err = 0; | ||
64 | |||
65 | tu = file->private_data; | ||
66 | - mutex_lock(&tu->tread_sem); | ||
67 | if (tu->timeri) { | ||
68 | snd_timer_close(tu->timeri); | ||
69 | tu->timeri = NULL; | ||
70 | @@ -1566,7 +1567,6 @@ static int snd_timer_user_tselect(struct file *file, | ||
71 | } | ||
72 | |||
73 | __err: | ||
74 | - mutex_unlock(&tu->tread_sem); | ||
75 | return err; | ||
76 | } | ||
77 | |||
78 | @@ -1779,7 +1779,7 @@ enum { | ||
79 | SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), | ||
80 | }; | ||
81 | |||
82 | -static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, | ||
83 | +static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, | ||
84 | unsigned long arg) | ||
85 | { | ||
86 | struct snd_timer_user *tu; | ||
87 | @@ -1796,17 +1796,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, | ||
88 | { | ||
89 | int xarg; | ||
90 | |||
91 | - mutex_lock(&tu->tread_sem); | ||
92 | - if (tu->timeri) { /* too late */ | ||
93 | - mutex_unlock(&tu->tread_sem); | ||
94 | + if (tu->timeri) /* too late */ | ||
95 | return -EBUSY; | ||
96 | - } | ||
97 | - if (get_user(xarg, p)) { | ||
98 | - mutex_unlock(&tu->tread_sem); | ||
99 | + if (get_user(xarg, p)) | ||
100 | return -EFAULT; | ||
101 | - } | ||
102 | tu->tread = xarg ? 1 : 0; | ||
103 | - mutex_unlock(&tu->tread_sem); | ||
104 | return 0; | ||
105 | } | ||
106 | case SNDRV_TIMER_IOCTL_GINFO: | ||
107 | @@ -1839,6 +1833,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, | ||
108 | return -ENOTTY; | ||
109 | } | ||
110 | |||
111 | +static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, | ||
112 | + unsigned long arg) | ||
113 | +{ | ||
114 | + struct snd_timer_user *tu = file->private_data; | ||
115 | + long ret; | ||
116 | + | ||
117 | + mutex_lock(&tu->ioctl_lock); | ||
118 | + ret = __snd_timer_user_ioctl(file, cmd, arg); | ||
119 | + mutex_unlock(&tu->ioctl_lock); | ||
120 | + return ret; | ||
121 | +} | ||
122 | + | ||
123 | static int snd_timer_user_fasync(int fd, struct file * file, int on) | ||
124 | { | ||
125 | struct snd_timer_user *tu; | ||
126 | -- | ||
127 | cgit v0.12 | ||
128 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 92f6664..d56f1ff 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb | |||
@@ -34,6 +34,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 | |||
34 | file://virtio-net-CVE-2015-5156.patch \ | 34 | file://virtio-net-CVE-2015-5156.patch \ |
35 | file://ipc-CVE-2015-7613.patch \ | 35 | file://ipc-CVE-2015-7613.patch \ |
36 | file://net-unix-CVE-2013-7446.patch \ | 36 | file://net-unix-CVE-2013-7446.patch \ |
37 | file://ALSA-CVE-2016-2546.patch \ | ||
37 | " | 38 | " |
38 | 39 | ||
39 | S = "${WORKDIR}/git" | 40 | S = "${WORKDIR}/git" |
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 1227c71..2141668 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
@@ -35,6 +35,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
35 | file://net-unix-CVE-2013-7446.patch \ | 35 | file://net-unix-CVE-2013-7446.patch \ |
36 | file://usb-CVE-2015-8816.patch \ | 36 | file://usb-CVE-2015-8816.patch \ |
37 | file://bpf-CVE-2016-2383.patch \ | 37 | file://bpf-CVE-2016-2383.patch \ |
38 | file://ALSA-CVE-2016-2546.patch \ | ||
38 | " | 39 | " |
39 | 40 | ||
40 | S = "${WORKDIR}/git" | 41 | S = "${WORKDIR}/git" |