diff --git a/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch new file mode 100644 index 000000000..73e65ecda --- /dev/null +++ b/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch @@ -0,0 +1,53 @@ +From: Takashi Iwai +Date: Mon, 6 Sep 2010 07:13:45 +0000 (+0200) +Subject: ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd + +ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() + +The error handling in snd_seq_oss_open() has several bad codes that +do dereferecing released pointers and double-free of kmalloc'ed data. +The object dp is release in free_devinfo() that is called via +private_free callback. The rest shouldn't touch this object any more. + +The patch changes delete_port() to call kfree() in any case, and gets +rid of unnecessary calls of destructors in snd_seq_oss_open(). + +Fixes CVE-2010-3080. + +Reported-and-tested-by: Tavis Ormandy +Cc: +Signed-off-by: Takashi Iwai +--- + +diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c +index 6857122..69cd7b3 100644 +--- a/sound/core/seq/oss/seq_oss_init.c ++++ b/sound/core/seq/oss/seq_oss_init.c +@@ -281,13 +281,10 @@ snd_seq_oss_open(struct file *file, int level) + return 0; + + _error: +- snd_seq_oss_writeq_delete(dp->writeq); +- snd_seq_oss_readq_delete(dp->readq); + snd_seq_oss_synth_cleanup(dp); + snd_seq_oss_midi_cleanup(dp); +- delete_port(dp); + delete_seq_queue(dp->queue); +- kfree(dp); ++ delete_port(dp); + + return rc; + } +@@ -350,8 +347,10 @@ create_port(struct seq_oss_devinfo *dp) + static int + delete_port(struct seq_oss_devinfo *dp) + { +- if (dp->port < 0) ++ if (dp->port < 0) { ++ kfree(dp); + return 0; ++ } + + debug_printk(("delete_port %i\n", dp->port)); + return snd_seq_event_port_detach(dp->cseq, dp->port); diff --git a/kernel.spec b/kernel.spec index 90e84f796..15b40a29e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -802,6 +802,9 @@ Patch12540: execve-improve-interactivity-with-large-arguments.patch Patch12541: execve-make-responsive-to-sigkill-with-large-arguments.patch Patch12542: setup_arg_pages-diagnose-excessive-argument-size.patch +# CVE-2010-3080 +Patch12550: alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1513,6 +1516,9 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch +# CVE-2010-3080 +ApplyPatch alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch + # END OF PATCH APPLICATIONS %endif @@ -2135,6 +2141,9 @@ fi %changelog * Tue Sep 14 2010 Chuck Ebbert 2.6.34.7-57 +- Fix CVE-2010-3080: /dev/sequencer open failure is not handled correctly + +* Tue Sep 14 2010 Chuck Ebbert - Fix bug added in 2.6.34.6-53 * Tue Sep 14 2010 Chuck Ebbert