Add two more patches for CVE-2016-2184

2016-03-31 14:30:06 -04:00 · 2016-03-31 14:30:06 -04:00 · 394fde4528
parent c1afd21fe4
commit 394fde4528
3 changed files with 167 additions and 0 deletions
--- a/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
+++ b/ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch
@ -0,0 +1,100 @@
+From 1b9e866417f77622b03f5b9c4e2845133054e670 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Thu, 31 Mar 2016 12:05:43 -0400
+Subject: [PATCH 2/2] ALSA: usb-audio: Fix double-free in error paths after
+ snd_usb_add_audio_stream() call
+
+create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
+create_uaxx_quirk() functions allocate the audioformat object by themselves
+and free it upon error before returning. However, once the object is linked
+to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
+double-freed, eventually resulting in a memory corruption.
+
+This patch fixes these failures in the error paths by unlinking the audioformat
+object before freeing it.
+
+Based on a patch by Takashi Iwai" <tiwai@suse.de>
+
+[Note for stable backports:
+ this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
+ code cleanup in create_fixed_stream_quirk()')]
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: <stable@vger.kernel.org> # see the note above
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ sound/usb/quirks.c | 4 ++++
+ sound/usb/stream.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 2f0bbc43f902..6f68ba9bda8a 100644
+--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
+@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 		usb_audio_err(chip, "cannot memdup\n");
+ 		return -ENOMEM;
+ 	}
+	INIT_LIST_HEAD(&fp->list);
+ 	if (fp->nr_rates > MAX_NR_RATES) {
+ 		kfree(fp);
+ 		return -EINVAL;
+@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	return 0;
+ 
+  error:
+	list_del(&fp->list); /* unlink for avoiding double-free */
+ 	kfree(fp);
+ 	kfree(rate_table);
+ 	return err;
+@@ -468,6 +470,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
+ 	fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
+ 	fp->datainterval = 0;
+ 	fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
+	INIT_LIST_HEAD(&fp->list);
+ 
+ 	switch (fp->maxpacksize) {
+ 	case 0x120:
+@@ -491,6 +494,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
+ 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+ 	err = snd_usb_add_audio_stream(chip, stream, fp);
+ 	if (err < 0) {
+		list_del(&fp->list); /* unlink for avoiding double-free */
+ 		kfree(fp);
+ 		return err;
+ 	}
+diff --git a/sound/usb/stream.c b/sound/usb/stream.c
+index 8ee14f2365e7..3b23102230c0 100644
+--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
+@@ -316,7 +316,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
+ /*
+  * add this endpoint to the chip instance.
+  * if a stream with the same endpoint already exists, append to it.
+- * if not, create a new pcm stream.
+ * if not, create a new pcm stream. note, fp is added to the substream
+ * fmt_list and will be freed on the chip instance release. do not free
+ * fp or do remove it from the substream fmt_list to avoid double-free.
+  */
+ int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ 			     int stream,
+@@ -677,6 +679,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
+ 					* (fp->maxpacksize & 0x7ff);
+ 		fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
+ 		fp->clock = clock;
+		INIT_LIST_HEAD(&fp->list);
+ 
+ 		/* some quirks for attributes here */
+ 
+@@ -725,6 +728,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
+ 		dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
+ 		err = snd_usb_add_audio_stream(chip, stream, fp);
+ 		if (err < 0) {
+			list_del(&fp->list); /* unlink for avoiding double-free */
+ 			kfree(fp->rate_table);
+ 			kfree(fp->chmap);
+ 			kfree(fp);
+-- 
+2.5.5
+
--- a/ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch
+++ b/ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch
@ -0,0 +1,62 @@
+From aa6c68ed429ba354b904554d396326bfd9ab96bf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 12:14:49 +0100
+Subject: [PATCH 1/2] ALSA: usb-audio: Minor code cleanup in
+ create_fixed_stream_quirk()
+
+Just a minor code cleanup: unify the error paths.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/quirks.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index f2e4eebdf76d..2f0bbc43f902 100644
+--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
+@@ -167,23 +167,18 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	stream = (fp->endpoint & USB_DIR_IN)
+ 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+ 	err = snd_usb_add_audio_stream(chip, stream, fp);
+-	if (err < 0) {
+-		kfree(fp);
+-		kfree(rate_table);
+-		return err;
+-	}
+	if (err < 0)
+		goto error;
+ 	if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
+ 	    fp->altset_idx >= iface->num_altsetting) {
+-		kfree(fp);
+-		kfree(rate_table);
+-		return -EINVAL;
+		err = -EINVAL;
+		goto error;
+ 	}
+ 	alts = &iface->altsetting[fp->altset_idx];
+ 	altsd = get_iface_desc(alts);
+ 	if (altsd->bNumEndpoints < 1) {
+-		kfree(fp);
+-		kfree(rate_table);
+-		return -EINVAL;
+		err = -EINVAL;
+		goto error;
+ 	}
+ 
+ 	fp->protocol = altsd->bInterfaceProtocol;
+@@ -196,6 +191,11 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	snd_usb_init_pitch(chip, fp->iface, alts, fp);
+ 	snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
+ 	return 0;
+
+ error:
+	kfree(fp);
+	kfree(rate_table);
+	return err;
+ }
+ 
+ static int create_auto_pcm_quirk(struct snd_usb_audio *chip,
+-- 
+2.5.5
+
--- a/kernel.spec
+++ b/kernel.spec
@ -633,6 +633,8 @@ Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
 #CVE-2016-2184 rhbz 1317012 1317470
 Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
 Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
+Patch667: ALSA-usb-audio-Minor-code-cleanup-in-create_fixed_st.patch
+Patch668: ALSA-usb-audio-Fix-double-free-in-error-paths-after-.patch

 #CVE-2016-3137 rhbz 1317010 1316996
 Patch672: cypress_m8-add-sanity-checking.patch
@ -2119,6 +2121,9 @@ fi
 #
 # 
 %changelog
+* Thu Mar 31 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Add two more patches for CVE-2016-2184
+
 * Wed Mar 30 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-301
 - Bump and build