Add another patch for CVE-2016-2184
This commit is contained in:
parent
b37bd2e19d
commit
2c8998104c
100
ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
Normal file
100
ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From 1b9e866417f77622b03f5b9c4e2845133054e670 Mon Sep 17 00:00:00 2001
|
||||
From: Vladis Dronov <vdronov@redhat.com>
|
||||
Date: Thu, 31 Mar 2016 12:05:43 -0400
|
||||
Subject: [PATCH 2/2] ALSA: usb-audio: Fix double-free in error paths after
|
||||
snd_usb_add_audio_stream() call
|
||||
|
||||
create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
|
||||
create_uaxx_quirk() functions allocate the audioformat object by themselves
|
||||
and free it upon error before returning. However, once the object is linked
|
||||
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
|
||||
double-freed, eventually resulting in a memory corruption.
|
||||
|
||||
This patch fixes these failures in the error paths by unlinking the audioformat
|
||||
object before freeing it.
|
||||
|
||||
Based on a patch by Takashi Iwai" <tiwai@suse.de>
|
||||
|
||||
[Note for stable backports:
|
||||
this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
|
||||
code cleanup in create_fixed_stream_quirk()')]
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
|
||||
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
||||
Cc: <stable@vger.kernel.org> # see the note above
|
||||
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||
---
|
||||
sound/usb/quirks.c | 4 ++++
|
||||
sound/usb/stream.c | 6 +++++-
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
|
||||
index 2f0bbc43f902..6f68ba9bda8a 100644
|
||||
--- a/sound/usb/quirks.c
|
||||
+++ b/sound/usb/quirks.c
|
||||
@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
usb_audio_err(chip, "cannot memdup\n");
|
||||
return -ENOMEM;
|
||||
}
|
||||
+ INIT_LIST_HEAD(&fp->list);
|
||||
if (fp->nr_rates > MAX_NR_RATES) {
|
||||
kfree(fp);
|
||||
return -EINVAL;
|
||||
@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
|
||||
return 0;
|
||||
|
||||
error:
|
||||
+ list_del(&fp->list); /* unlink for avoiding double-free */
|
||||
kfree(fp);
|
||||
kfree(rate_table);
|
||||
return err;
|
||||
@@ -468,6 +470,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
|
||||
fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
|
||||
fp->datainterval = 0;
|
||||
fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
|
||||
+ INIT_LIST_HEAD(&fp->list);
|
||||
|
||||
switch (fp->maxpacksize) {
|
||||
case 0x120:
|
||||
@@ -491,6 +494,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
|
||||
? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
|
||||
err = snd_usb_add_audio_stream(chip, stream, fp);
|
||||
if (err < 0) {
|
||||
+ list_del(&fp->list); /* unlink for avoiding double-free */
|
||||
kfree(fp);
|
||||
return err;
|
||||
}
|
||||
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
|
||||
index 8ee14f2365e7..3b23102230c0 100644
|
||||
--- a/sound/usb/stream.c
|
||||
+++ b/sound/usb/stream.c
|
||||
@@ -316,7 +316,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
|
||||
/*
|
||||
* add this endpoint to the chip instance.
|
||||
* if a stream with the same endpoint already exists, append to it.
|
||||
- * if not, create a new pcm stream.
|
||||
+ * if not, create a new pcm stream. note, fp is added to the substream
|
||||
+ * fmt_list and will be freed on the chip instance release. do not free
|
||||
+ * fp or do remove it from the substream fmt_list to avoid double-free.
|
||||
*/
|
||||
int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
|
||||
int stream,
|
||||
@@ -677,6 +679,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
|
||||
* (fp->maxpacksize & 0x7ff);
|
||||
fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
|
||||
fp->clock = clock;
|
||||
+ INIT_LIST_HEAD(&fp->list);
|
||||
|
||||
/* some quirks for attributes here */
|
||||
|
||||
@@ -725,6 +728,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
|
||||
dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
|
||||
err = snd_usb_add_audio_stream(chip, stream, fp);
|
||||
if (err < 0) {
|
||||
+ list_del(&fp->list); /* unlink for avoiding double-free */
|
||||
kfree(fp->rate_table);
|
||||
kfree(fp->chmap);
|
||||
kfree(fp);
|
||||
--
|
||||
2.5.5
|
||||
|
@ -619,6 +619,9 @@ Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
|
||||
#CVE-2016-3134 rhbz 1317383 1317384
|
||||
Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
||||
|
||||
#CVE-2016-2184 rhbz 1317012 1317470
|
||||
Patch668: ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
|
||||
|
||||
#CVE-2016-3137 rhbz 1317010 1316996
|
||||
Patch672: cypress_m8-add-sanity-checking.patch
|
||||
|
||||
@ -2164,6 +2167,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Mar 31 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Add another patch for CVE-2016-2184
|
||||
|
||||
* Wed Mar 30 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Fix undefined __always_inline in exported headers (rhbz 1321749)
|
||||
- Make sure to install objtool in -devel subpackage if it exists (rhbz 1321628)
|
||||
|
Loading…
Reference in New Issue
Block a user