Fix CVE-2010-3080: /dev/sequencer open failure is not handled correctly

This commit is contained in:
Chuck Ebbert 2010-09-14 22:17:35 -04:00
parent dfcfe74aa7
commit 5bfd09461d
2 changed files with 62 additions and 0 deletions

View File

@ -0,0 +1,53 @@
From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200)
Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
The error handling in snd_seq_oss_open() has several bad codes that
do dereferecing released pointers and double-free of kmalloc'ed data.
The object dp is release in free_devinfo() that is called via
private_free callback. The rest shouldn't touch this object any more.
The patch changes delete_port() to call kfree() in any case, and gets
rid of unnecessary calls of destructors in snd_seq_oss_open().
Fixes CVE-2010-3080.
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
index 6857122..69cd7b3 100644
--- a/sound/core/seq/oss/seq_oss_init.c
+++ b/sound/core/seq/oss/seq_oss_init.c
@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level)
return 0;
_error:
- snd_seq_oss_writeq_delete(dp->writeq);
- snd_seq_oss_readq_delete(dp->readq);
snd_seq_oss_synth_cleanup(dp);
snd_seq_oss_midi_cleanup(dp);
- delete_port(dp);
delete_seq_queue(dp->queue);
- kfree(dp);
+ delete_port(dp);
return rc;
}
@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp)
static int
delete_port(struct seq_oss_devinfo *dp)
{
- if (dp->port < 0)
+ if (dp->port < 0) {
+ kfree(dp);
return 0;
+ }
debug_printk(("delete_port %i\n", dp->port));
return snd_seq_event_port_detach(dp->cseq, dp->port);

View File

@ -802,6 +802,9 @@ Patch12540: execve-improve-interactivity-with-large-arguments.patch
Patch12541: execve-make-responsive-to-sigkill-with-large-arguments.patch
Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-3080
Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1513,6 +1516,9 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch
ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
# CVE-2010-3080
ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
# END OF PATCH APPLICATIONS
%endif
@ -2135,6 +2141,9 @@ fi
%changelog
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.34.7-57
- Fix CVE-2010-3080: /dev/sequencer open failure is not handled correctly
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com>
- Fix bug added in 2.6.34.6-53
* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com>