CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)

2016-02-15 08:28:02 -05:00 · 2016-02-15 08:28:02 -05:00 · d9800d33d3
parent eb2a046afd
commit d9800d33d3
2 changed files with 43 additions and 0 deletions
--- a/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
+++ b/ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
@ -0,0 +1,34 @@
+From 07d86ca93db7e5cdf4743564d98292042ec21af7 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: [PATCH] ALSA: usb-audio: avoid freeing umidi object twice
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
+Acked-by: Clemens Ladisch <clemens@ladisch.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/midi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index cc39f63299ef..007cf5831121 100644
+--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
+@@ -2455,7 +2455,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ 	else
+ 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ 	if (err < 0) {
+-		snd_usbmidi_free(umidi);
+ 		return err;
+ 	}
+ 
+-- 
+2.5.0
+
--- a/kernel.spec
+++ b/kernel.spec
@ -705,6 +705,9 @@ Patch647: rtlwifi-fix-memory-leak-for-USB-device.patch
 #CVE-2016-0617 rhbz 1305803 1305804
 Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch

+#CVE-2016-2384 rhbz 1308444 1308445
+Patch649: ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1474,6 +1477,9 @@ ApplyPatch rtlwifi-fix-memory-leak-for-USB-device.patch
 #CVE-2016-0617 rhbz 1305803 1305804
 ApplyPatch fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch

+#CVE-2016-2384 rhbz 1308444 1308445
+ApplyPatch ALSA-usb-audio-avoid-freeing-umidi-object-twice.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2323,6 +2329,9 @@ fi
 #
 # 
 %changelog
+* Mon Feb 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-2384 double free in usb-audio from invalid USB descriptor (rhbz 1308444 1308445)
+
 * Tue Feb 09 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804)