kernel-ALSA: CVE-2016-2384

Fixes double-free in usb-audio triggered by invalid USB descriptor. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2384 Reference to the upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=1ea63b629c9c53af6cdde4daf166b3d31b3e9cfe Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-04-14 13:40:53 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2016-04-15 13:20:43 +0200
commit: f843c4d152d2819b4df601a19e71f15099efecc4 (patch)
tree: dd884277867515b21a49a73e0bc0265bab433276
parent: 291c45aaebb29078e32ff38f7b9998fd9fdfe167 (diff)
download: meta-hierofalcon-f843c4d152d2819b4df601a19e71f15099efecc4.tar.gz
3 files changed, 43 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2384.patch b/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2384.patch
new file mode 100644
index 0000000..23fb898
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2384.patch
@@ -0,0 +1,41 @@
+From 1ea63b629c9c53af6cdde4daf166b3d31b3e9cfe Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: ALSA: usb-audio: avoid freeing umidi object twice
+[ Upstream commit 07d86ca93db7e5cdf4743564d98292042ec21af7 ]
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+Found by KASAN.
+CVE: CVE-2016-2384
+Upstream-Status: Backport
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index bec63e0..f059326 100644
+--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
+@@ -2451,7 +2451,6 @@ int snd_usbmidi_create(struct snd_card *card,
+        else
+                err = snd_usbmidi_create_endpoints(umidi, endpoints);
+        if (err < 0) {
+-               snd_usbmidi_free(umidi);
+                return err;
+        }
+ 
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 55ccec7..5419b62 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -36,6 +36,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
           file://net-unix-CVE-2013-7446.patch \
           file://ALSA-CVE-2016-2546.patch \
           file://Btrfs-CVE-2015-8374.patch \
+           file://ALSA-CVE-2016-2384.patch \
           "
 S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index f528b53..39c40dd 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
           file://bpf-CVE-2016-2383.patch \
           file://ALSA-CVE-2016-2546.patch \
           file://Btrfs-CVE-2015-8374.patch \
+           file://ALSA-CVE-2016-2384.patch \
           "
 S = "${WORKDIR}/git"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-04-14 13:40:53 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2016-04-15 13:20:43 +0200
commit	f843c4d152d2819b4df601a19e71f15099efecc4 (patch)
tree	dd884277867515b21a49a73e0bc0265bab433276
parent	291c45aaebb29078e32ff38f7b9998fd9fdfe167 (diff)
download	meta-hierofalcon-f843c4d152d2819b4df601a19e71f15099efecc4.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2384.patch b/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2384.patch new file mode 100644 index 0000000..23fb898 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/ALSA-CVE-2016-2384.patch
@@ -0,0 +1,41 @@
		1	From 1ea63b629c9c53af6cdde4daf166b3d31b3e9cfe Mon Sep 17 00:00:00 2001
		2	From: Andrey Konovalov <andreyknvl@gmail.com>
		3	Date: Sat, 13 Feb 2016 11:08:06 +0300
		4	Subject: ALSA: usb-audio: avoid freeing umidi object twice
		5
		6	[ Upstream commit 07d86ca93db7e5cdf4743564d98292042ec21af7 ]
		7
		8	The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
		9	when tearing down the rawmidi interface. So we shouldn't try to free it
		10	in snd_usbmidi_create() after having registered the rawmidi interface.
		11
		12	Found by KASAN.
		13
		14	CVE: CVE-2016-2384
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
		18	Acked-by: Clemens Ladisch <clemens@ladisch.de>
		19	Cc: <stable@vger.kernel.org>
		20	Signed-off-by: Takashi Iwai <tiwai@suse.de>
		21	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		23	---
		24	sound/usb/midi.c \| 1 -
		25	1 file changed, 1 deletion(-)
		26
		27	diff --git a/sound/usb/midi.c b/sound/usb/midi.c
		28	index bec63e0..f059326 100644
		29	--- a/sound/usb/midi.c
		30	+++ b/sound/usb/midi.c
		31	@@ -2451,7 +2451,6 @@ int snd_usbmidi_create(struct snd_card *card,
		32	else
		33	err = snd_usbmidi_create_endpoints(umidi, endpoints);
		34	if (err < 0) {
		35	- snd_usbmidi_free(umidi);
		36	return err;
		37	}
		38
		39	--
		40	cgit v0.12
		41


diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 55ccec7..5419b62 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -36,6 +36,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
36	file://net-unix-CVE-2013-7446.patch \	36	file://net-unix-CVE-2013-7446.patch \
37	file://ALSA-CVE-2016-2546.patch \	37	file://ALSA-CVE-2016-2546.patch \
38	file://Btrfs-CVE-2015-8374.patch \	38	file://Btrfs-CVE-2015-8374.patch \
		39	file://ALSA-CVE-2016-2384.patch \
39	"	40	"
40		41
41	S = "${WORKDIR}/git"	42	S = "${WORKDIR}/git"


diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index f528b53..39c40dd 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -37,6 +37,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
37	file://bpf-CVE-2016-2383.patch \	37	file://bpf-CVE-2016-2383.patch \
38	file://ALSA-CVE-2016-2546.patch \	38	file://ALSA-CVE-2016-2546.patch \
39	file://Btrfs-CVE-2015-8374.patch \	39	file://Btrfs-CVE-2015-8374.patch \
		40	file://ALSA-CVE-2016-2384.patch \
40	"	41	"
41		42
42	S = "${WORKDIR}/git"	43	S = "${WORKDIR}/git"